In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Wednesday, September 20, 2017

12086 - Privacy and Security of Aadhaar A Computer Science Perspective - EPW

Privacy and Security of AadhaarA Computer Science Perspective 

Shweta Agrawal, Subhashis Banerjee, Subodh Sharma

We thank Reetika Khera for the many discussions, and Ambuj Sagar, Narayanan Kurur and the anonymous reviewer for suggestions on improving the manuscript. The first author thanks Manoj Prabhakaran for many helpful comments and Mihir Bellare for suggesting the use of fuzzy extractors.

Shweta Agrawal (shweta.a@gmail.com) is with the Department of Computer Science and Engineering, Indian Institute of Technology, Madras.

Subhashis Banerjee (suban@cse.iitd.ac.in) and Subodh Sharma (svs@cse.iitd.ac.in) are with the Department of Computer Science and Engineering, Indian Institute of Technology, New Delhi.

The article investigates the privacy and security issues of Aadhaar from a technology point of view. Specifically, the possibilities of identification and authentication without consent using the Aadhaar number or biometric data, and unlawful access of Aadhaar data in the central repository are examined.

The analysis suggests that privacy protection in Aadhaar will require an independent third party that can play the role of an online auditor; study of several modern tools and techniques from computer science; and strong legal and policy frameworks that can address the specifics of authentication and identification in a modern digital setting.

1 Introduction The Aadhaar project is the world’s largest national identity scheme, launched by the Government of India, which seeks to collect biometric and demographic data of residents and store these in a centralised database. To date, about 1.1 billion users have enrolled in the system. However, serious concerns have been raised over the privacy and security issues related to the Aadhaar project. In this article, we examine some of these issues from a computer science perspective.

1.1 Background Privacy concerns relating to the Aadhaar project have been the subject of much heated debate recently (Express News Service 2016; NDTV 2016a). Positions taken by the government and Unique Identifi cation Authority of India (UIDAI) on these issues have been ambiguous. Arguing before a bench in the Supreme Court, the Attorney General of India has claimed that Indian citizens have no constitutional right to privacy (PTI 2015). This is surprising not only because there are several interpretations of constitutional provisions and judgments to the contrary (Bhatia 2015; Kumar 2015) but also because it contravenes conventional wisdom and best practices in digital authentication and authorisation systems (Diffi e and Hellman 1979). The finance minister, while getting the Aadhaar bill passed as a money bill, announced that “the government presupposes privacy as a fundamental right” and claimed that the bill has tightened privacy provisions when compared to what was there in the previous version (Scroll Staff 2016). However, neither the government nor the UIDAI makes it clear what precisely are the privacy concerns that are being addressed, what precisely are the methods being deployed, and why the resulting proposal is secure. The UIDAI (2014) does describe the security measures it has put in place, but does not provide an analysis of the measures with respect to perceived threat levels and potential privacy breaches. This has resulted in an overall confusion about the impact on privacy engendered by the Aadhaar project. On the other hand, several civil society activists and social commentators (Arun 2016; Krishna 2017; Mehta 2017; Jayaram 2015; Ramanathan 2016; Vombatkere 2016; Makkar 2016; Duggal 2011; Dréze 2016) have expressed concerns about the weak privacy provisions in the Aadhaar project and the bill. However, while alerting to the possibilities of opening doors to mass surveillance, we feel that some of the commentaries have been unbounded in their criticisms and not entirely specific in SPECIAL ARTICLE 94 september 16, 2017 vol liI no 37 EPW Economic & Political Weekly their statements of concerns. The gist of most criticisms has been that the use of biometrics and a unique identification number (UIN), storage of biometric and demographic data, and authentication trails in a central repository are necessarily unsafe. However, whether breach of privacy is inevitable and whether there may exist technological and legal provisions which can make Aadhaar safe, are important questions that have not been adequately addressed. We note that some crucial lacunae in the identifi cation and authentication processes of Aadhaar have been pointed out by Centre for Internet & Society (CIS 2016), which also makes several important suggestions, including implementation of recommendations of Shah (Planning Commission 2012) and Sinha (Lok Sabha Secretariat 2012) committees. Despite these, thorough analyses of the possible ways in which privacy can be breached, and possible countermeasures both from technological and legal perspectives, remain missing. In this article, we endeavour to fi ll in some of this gap from a technology point of view.

1.2 Perspectives on Aadhaar: Pros and Cons At its core, the Aadhaar Act attempts to create a method for identifi cation of individuals so as to provide services, subsidies and other benefi ts to them. While the effectiveness of Aadhaar to the extent claimed in preventing leakages in social welfare schemes has been questioned (Khera 2011, 2015; Zhong 2016), the advantages of computerisation and reliably maintaining eligibility and distribution records in digital forms are well accepted (Masiero 2015; Khera 2013). Any digitisation requires indexes or unique IDs, and in social welfare schemes local unique IDs like ration or job card numbers are typically used. Standardising the digital record-keeping processes across geo graphies and verticals and linking the local IDs with the unique national identities provided by Aadhaar are tantamount to virtually collating the different digital record tables into one. Though the digital records may still be geographically distributed, real-time access to the data, using the Aadhaar IDs as handles, can then be provided to authorised central and state agencies for audit, monitoring, analysis, and planning purposes. Thus, the Aadhaar number provides a single index across all services that may use Aadhaar. Additionally, the Aadhaar project may provide the necessary impetus to standardisation and digitisation of other domains as well, many of which are long overdue. The Aadhaar IDs can be used to create local IDs for digitisation of new verticals easily. Even more importantly, Aadhaar can facilitate linking of local IDs in currently isolated verticals like census, education, healthcare and immunisation records, birth and death records, land records, property registration, income tax, banking, loans and defaults, police verifi cation and law enforcement, disaster management, security and intelligence and such others. Thus, Aadhaar may not only enable effi cient design, delivery, monitoring, and evaluation of services in each domain indi vidually but also offers the possibility of using modern data analytics techniques for fi nding large-scale correlations in user data that may facilitate improved design of social policy strategies and early detection and warning systems for anomalies. For example, it may be tremendously insightful to be able to correlate education levels, family incomes, and nutrition across the entire population; or disease spread with income and education. More generally, it may enable carrying out econometric analysis, epidemiological studies, automatic discovery of latent topics, and causal relationships across multiple domains of the economy (UN Global Pulse 2012; McNabb et al 2009; Krishnamurthy and Desouza 2014; Varian 2014; Einav and Levin 2014, 2013; Athey and Imbens 2015; Kleinberg et al 2015; McBride and Nichols 2015). Indeed, extending the scope of Aadhaar from just being an identification and authentication system for social welfare schemes to a system which generates largescale data and facilitates automated analysis and planning, can potentially lead to far-reaching benefits. At the same time, apart from the concerns of loss of privacy and civil liberties, the Aadhaar project has attracted considerable criticism for causing signifi cant disruptions and exclusions in social welfare schemes (Johari 2016; NDTV 2016a, b; Dréze 2016; Yadav 2016a, b; Khera 2016; Somanchi et al 2017), both due to careless deployment and uncertainties in biometric matching. We believe that all the above issues, both for and against, require careful analysis and rigorous evaluation; and that the technological, legal, and policy frameworks need to be considerably strengthened through debates and informed choices to evolve an effective national identity scheme.

1.3 Our Goal In the modern digital era, privacy protection does not demand that data should not be collected, stored, or used, but that there should be provable guarantees that the data cannot be used for any purpose other than those that have been approved. Recent advances in the discipline of computer science offer several novel and powerful solutions to address many of the privacy and security challenges posed by the Aadhaar project. Our goal is to carefully examine the security concerns, survey the technological tools that may aid us, and provide a fi rst order analysis of what might be feasible. Our approach is as follows. We first capture the functionality desired by the Aadhaar project. Next, we analyse the security risks and vulnerabilities engendered by each entity and each communication link in the Aadhaar model. We examine the security measures proposed by UIDAI and discuss where these may be lacking. We elucidate recent tools from computer science, particularly from the fields of cryptography and security, which may assist in providing safeguards: this puts some stated concerns to rest while simultaneously raising multiple unforeseen issues.

2 The Aadhaar Model In this section, we describe the various entities involved in Aadhaar and their interdependencies, which will enable us to reason about its privacy and security requirements. The Aadhaar authentication and identity verifi cation system comprises the following entities (UIDAI 2016b): SPECIAL ARTICLE Economic & Political Weekly EPW september 16, 2017 vol liI no 37 95 Central Identities Data Repository: The UIDAI is responsible for providing the basic identification and authentication services. It provides a unique identifier (Aadhaar number) to each resident and maintains their biometric and demographic data in a Central Identities Data Repository (CIDR). The UIDAI manages the CIDR and provides identifi cation and authentication services with yes/no answers. Authentication user agency: This agency provides services to users that are successfully authenticated. Thus, an authentication user agency (AUA) connects to the CIDR and uses aadhaar authentication to validate a user and enable its services. Examples of AUAs and services are banks, various state and central government ministries providing services such as the public distribution system (PDS), the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), and even private agencies like mobile phone operators. The responsibility of logistics of service delivery rests with the AUAs.
In this federated model, an AUA may choose to use only Aadhaar identifi cation, or also authentication in conjunction with their own legacy identification and authentication systems. An AUA is required to enter into a formal contract with UIDAI to be able to use Aadhaar authentication services.

Authentication service agency: This is an entity that has a secure leased line connectivity with the CIDR. Authentication service agencies (ASAs) transmit authentication requests to CIDR on behalf of one or more AUAs. An ASA enters into a formal contract with UIDAI. Users: These comprise the residents of the country who enrol themselves with UIDAI and are issued UINs (Aadhaar numbers). A user has to present this number as the basic identifi cation to an AUA for availing Aadhaar authentication services. The Aadhaar number for a user is common across all AUAs and service domains.

Point of sale: This device, also known as authentication device, collects personal identity data from Aadhaar holders, prepares the information for transmission, transmits the auth entication packets for authentication, and receives the authentication results. Enrolment station: This is a collection of fi eld devices used by enrolment agencies appointed by UIDAI to enrol people into the Aadhaar database and capture their demographic and biometric particulars. The Aadhaar number is common across all AUAs and service domains. The framework (without the enrolment station) is captured in Figure 1. 3 Definitions, Assumptions and Requirements In this section, we do a requirement analysis for privacy and security. To begin with, we provide some definitions.

3.1 Identity Verification vs Authentication Aadhaar is a national identity project, but we believe that the subtle difference between identity verification and authentication is itself not well understood, and this leads to confusions in policymaking and deployment. Below, we attempt to fi rst demarcate the two concepts. According to standard notions of digital authentication, a security principal (a user or a computer), while requesting access to a service, must provide two independent pieces of information—identity and authentication. Whereas identity provides an answer to the question “who are you?,” authentication is a challenge-response process that provides a “proof of the claim of identity,” typically using an authentication credential. Common examples of identity are user ID (login ID), cryptographic public keys, email IDs, ATM, or smart cards; some common authentication credentials are passwords (including, one-time passwords [OTPs]), PINs and cryptographic private keys. Identity may be considered public information but an authentication credential must necessarily be private— a secret that is known only to the user. Moreover, authentication must be a conscious process that requires active participation by a user, but not necessarily so for identity verification. For example, a bank may want an identity verification while opening an account at which stage no secret like a password is usually necessary, but a user needs to authenticate with a PIN for transactions like ATM withdrawals. No publicly known information should be used as an authentication credential.

3.2 Privacy Protection: Fundamental Assumptions To determine the extent to which security and privacy are achieved, we must fi rst defi ne the desired expectations in this context. Our analysis is based on certain assumptions, which we believe are fundamental. Authentication without consent should never be possible under any circumstances. Identifi cation without consent should also not be possible except in some special situations like disaster management, identifi cation of accident victims, law enforcement and such others. It should be noted that providing one’s identity for obtaining services in any local context is always with consent. Figure 1: The Aadhaar Authentication Framework Aaadhar User UIDAI’s CIDR YES/NO Response YES/NO Response ASA Communication AUA 2 6 3 5 4 1 7 ASA Repository Authentication Devices Updates and Confirmations AUA Specific Communication Authenticated Request Service Delivery Source: Figure inspired from UIDAI 2016b. SPECIAL ARTICLE 96 september 16, 2017 vol liI no 37 EPW Economic & Political Weekly Unapproved profi ling, tracking, and surveillance of individuals should not be possible. There should be suffi ciently strong measures to prevent such breaches in privacy, with user-verifi - able proof of the same.

The technical implementation of privacy and security must be provably correct with respect to the legal framework. The legal framework, in turn, needs to be suitably enhanced with special provisions to protect the privacy of individuals and society in an advanced information technology setting.

3.3 Possible Ways of Breach of Privacy In what follows, we briefly examine the various ways in which the privacy of an individual can be compromised in a setting such as in Aadhaar. Correlation of identities across domains: It may become possible to track an individual’s activities across multiple domains of service (AUAs) using their global Aadhaar IDs which are valid across these domains. This would lead to identifi cation without consent. Identity theft: This may happen through leakage of biometric and demographic data, either from the central repository, or from a POS or enrolment device. Identifi cation without consent using Aadhaar data: There may be unauthorised use of biometrics to illegally identify people. Such violations may include identifying people by inappropriate matching of fingerprint or iris scans or facial photographs stored in the Aadhaar database, or using the demographic data to identify people without their consent and beyond legal provisions. Illegal tracking of individuals: Individuals may be tracked or put under surveillance without proper authorisation or legal sanction using the authentication and identification records and trails in the Aadhaar database, or in one or more AUA’s databases. Such records will typically also contain information on the precise location, time, and context of the authentication or identifi cation and the services availed. We wish to emphasise that “insider attacks” are the most dangerous threats in this context. For instance, the last three attacks above are much more likely if the attacker can collude with an insider with access to various components of the Aadhaar system.

3.4 Requirement Analysis for Privacy Protection In view of the above, effective privacy protection not only requires protecting the Aadhaar system from external attacks but from internal attacks as well. This requires strong guarantees on securing the data, logs and the transaction trails in the Aadhaar and the AUA systems. UIDAI cannot be trusted against possible system hacks, insider leaks, and tampering of authentication records and audit trails. Indeed, the identity verification and authentication providing applications running on UIDAI computer systems should be trustworthy even when the UIDAI systems and the network cannot be trusted. Manual inspection of user data, authentication records, and audit trails should not be allowed. In special cases of properly authorised investigations, such inspections may only be possible through pre-approved, audited, and provably tamper-proof computer programmes, and an accurate tamper-proof record of the entire investigation and digitally signed authorisation chain must be maintained at all times. The enrolment agencies and the enrolment devices cannot be trusted from data privacy and security points of view; neither can the POS devices and various AUAs, whether government or private, be trusted for data protection. AUAs cannot be trusted with biometric and demographic data; neither can they be trusted with sensitive user data of private nature (for example, medical and immunisation records, etc). All provisions of data privacy and security that apply to UIDAI must also apply to the AUAs. Strong legal and policy frameworks are required to ensure this. It should not be possible to correlate identities across application domains, except on suitably anonymised data through pre-approved, audited, and provably tamper-proof computer programs for carrying out data analysis. In what follows, we discuss the various threats and vulnerabilities that result from the Aadhaar project in more detail and analyse the measures adopted by the UIDAI against these. We also suggest a few possibilities of enhancing the privacy and security protections.

4 Authentication without Consent As we have already discussed, authentication without consent should not be possible under any circumstances. Additionally, it should be possible to revoke an authentication credential in case it is compromised, with the identity of the individual remaining intact. UIDAI defi nes Aadhaar authentication as follows: Aadhaar authentication is the process wherein Aadhaar number, along with other attributes (demographic/biometrics/OTP) is submitted to UIDAI’s Central Identities Data Repository (CIDR) for verifi cation; the CIDR verifi es whether the data submitted matches the data available in CIDR and responds with a Yes/No. No personal identity information is returned as part of the response. (UIDAI 2016a)

The UIDAI (2016a) goes on to define five types of Aadhaarbased authentication:

Type 1 authentication: Through this offering, service delivery agencies can use Aadhaar authentication system for matching the Aadhaar number and demographic attributes (name, address, date of birth, etc) of a resident.

Type 2 authentication: This offering allows service delivery agencies to authenticate residents through OTP delivered to their mobile number and/or email address present in CIDR.

Type 3 authentication: Through this offering, service delivery agencies can authenticate residents using one of the biometric modalities, either iris or fi ngerprint. SPECIAL ARTICLE Economic & Political Weekly EPW september 16, 2017 vol liI no 37 97

Type 4 authentication: This is a two-factor authentication offering with OTP as one factor and biometrics (either iris or fi ngerprint) as the second factor for authenticating residents.

Type 5 authentication: This offering allows service delivery agencies to use OTP, fingerprint, and iris together for authenticating residents. Thus, we see that authentication is implemented in Aadhaar via the mechanisms of passwords and biometric information. However, in the usage of biometrics, we believe there is an implicit confusion between the concepts of identity verification and authentication. In the above usage, biometric information is used for authentication relying on the unstated assumption that this information is private. However, we argue that biometric data is public: for instance, people’s fingerprints can be lifted without their consent from a variety of objects that they may touch and their iris data may be picked up by high resolution, directional cameras from a distance. Even DNA information can be obtained from the objects that users may touch (Houck and Houck 2008). Hence, fraudulent presentation of biometric data for authentication, without conscious participation by a user, is a definite possibility (Akhtar 2012). Another difficulty with using biometrics as authentication credentials is that revoking biometrics like fi ngerprints or iris for a compromised user is problematic

1 The analysis in the prior section leads us to conclude that the usage of only biometrics in the context of Aadhaar authentication (Type 3 authentication above) has significant problems. Type 1 authentication is susceptible to the same problem, since it also uses public information for authentication. It will be necessary to use other factors, like trustworthy manual oversight, in conjunction with these modalities for authentication. The other types use at least one private modality and are hence safe. We note that biometrics can certainly be very useful for identity verification. A careful case analysis must be performed to delineate whether identity verification or authentication is required in any given context, and UIDAI should appropriately change its authentication architecture to account for the above. Also, the legal and policy frameworks must make a clear distinction between authentication and identity verifi cation.

5 The Aadhaar Number and the Possibility of Identification without Consent The Aadhaar number is at the heart of the Aadhaar scheme and is one of the biggest causes of concern. Recall that the Aadhaar number is a single unique identifi er that must function across multiple domains. Given that the Aadhaar number must necessarily be disclosed for obtaining services, it becomes publicly available, not only electronically but also often in human readable forms as well, thereby increasing the risk that service providers and other interested parties may be able to profile users across multiple service domains. Once the Aadhaar number of an individual is (inevitably) known, that individual may be identified without consent across domains, leading to multiple breaches in privacy (Makkar 2016; CIS 2016; LSE 2005). Another worrisome issue is that of identity theft, and its potential for damage now increases manifold. As an illustrative example, let us consider the United States (US) Social Security Number (SSN) (SSA 2017). The primary difference between Aadhaar and SSN is that the SSN does not have any biometric identifier attached and it does not support authentication. The SSN associated with a person provides a single interface to the person’s dealings with a vast number of public and private bodies, very similar to how the usage of the Aadhaar number is being envisaged. While this facilitates use of administrative data for useful data analytics (McNabb et al 2009), the ease of obtaining the SSN from across public and private databases also results in extremely high number of identity theft cases in the US (LSE 2005: 100). The UIDAI does acknowledge the possibility of breach of privacy that can arise due to the use of a single identifier across multiple domains and recommends that the AUAs should use only domain specific identifiers in their dealings with people (UIDAI 2011:7). Examples of domain specific identifiers are bank account numbers, passport numbers, driving licence numbers, ration card numbers, etc. The UIDAI mandates that the AUAs should maintain a mapping between their domain specifi c identifi ers and the global Aadhaar numbers at their back end. The UIDAI does not maintain any such mapping and assumes that there cannot be any breach of privacy from the UIDAI because the mappings are unidirectional. This, however, does not fully mitigate the risks and, the possibility of leakage of the Aadhaar number from an AUA—either from the database, or during “know your customer” (KYC) processes, or even during availing services—cannot be ruled out. In particular, there appear to be no safeguards or even guidelines, either technical or legal, on how the Aadhaar number should be maintained and used by various AUAs in a cryptographically secure way, and how to prevent the Aadhaar number of an individual from becoming public. In fact, in many of the schemes that require Aadhaar authentication, it is necessary to provide the Aadhaar number as a public identifi er which violates UIDAI’s own recommendations. With such weak provisions, identifi cation without consent and correlation of identities across application domains without approval remain as real possibilities. Additionally, since the Aadhaar number is supposed to be valid for life (UIDAI 2011), it cannot easily be revoked in case of an identity theft or if the Aadhaar number is compromised in any other way. Thus, linking individuals across domains with a global identifi er for legitimate data analysis and the possible loss of privacy because of the correlation of identity across domains such a global identifier facilitates are conflicting requirements. An alternative and more principled strategy to resolve the conflict would be for the UIDAI to issue different local identifi ers (different Aadhaar numbers) for different domains, but to cryptographically embed in to all local identifi ers a unique “master identifier.” Several alternatives are possible. One may design the identifiers so that no linking across domains is SPECIAL ARTICLE 98 september 16, 2017 vol liI no 37 EPW Economic & amp; Political Weekly possible at all and it is impossible to isolate the global signature from any of the local identifiers. The linking then becomes unidirectional, but in the reverse direction to what UIDAI has currently suggested. Alternatively, one may allow limited linking across domains, either bidirectional or even unidirectional. The London School of Economics and Political Science (LSE 2005) identity report actually suggests such a scheme. Correlation across multiple domains using the master identifier, through cryptographically secure and pre-approved data analytics software, will always be possible in such a scheme. Sufficiently strong cryptographic measures should be used to embed the master identifier in to the local ones to prevent against possible external correlation attacks. Also, a major shift in the policy framework is necessary to reverse the direction of linking.

6 Protection of User Data In Section 2, we discussed that a major threat to privacy of users arises from the possibility of insider attacks. In this section, we discuss the possibilities of securing Aadhaar from such threats.

6.1 Threat Levels In what follows, we outline the various levels of threat that are possible and measures that can be taken in each case. Among others, this scenario is common in internet banking, where the application and authentication servers are usually the same; in campus networks, where snooping and attacks are fairly common; and in various internet and mobile application-based services that use Google or Facebook for authentication. The basic security requirements in such situations are that the authentication servers and the application servers must authenticate themselves to each other and to the clients, to prevent against possible man-in-the-middle attacks (Wikipedia 2016f); and user credentials and other critical data must never travel over the network in unencrypted form. The above requirements can be met via a slew of known techniques, almost all of which rely on public key cryptography (PKI) (Wikipedia 2016h). This is a more challenging security situation where, in addition to the above, one also has to worry about data leaks from the servers, either due to hacking or even due to insider leaks.

Some common countermeasures are:
(i) the authentication servers must never store any user credentials and may only store a Hash (Wikipedia 2016a), a value computed from user credential(s) using a non-invertible function, and use it for matching. Then, user credentials can never leak;
(ii) all critical data, records and logs must be stored only in encrypted forms on the servers. The decryption keys should not be easily accessible;
and (iii) there must be provisions for tamper detection for both data and programs. Popular solutions to realise the above-mentioned countermeasures, such as secure hash algorithms (SHA-n) (Wikipedia 2016i, a) and Kerberos authentication protocol (Wikipedia 2016d) do exist and are frequently employed. In even stricter situations, one may require in addition that the authentication servers must never store any information about user credentials, not even a hash. Also, no process at the authentication servers should be able to glean any information whatsoever about user credentials from the information exchange during an authentication process.

Stronger guarantees for tamper detection should be employed. In particular, the authentication and other servers must be able to prove to any designated auditor that they have not been tampered with and are running only pre-approved and inspected computer programs. The servers must also be able to prove that none of their data, including records and log fi les, have been manually inspected or modified. In almost all internet applications, including banking, it is tacitly assumed that the client access devices mobiles and handhelds, laptops and desktop computers are trusted, and the responsibility of data protection in these devices is passed on to the users. However, in special situations where the access devi ces are not owned by the users but are supplied by service providers, the users may have a right to be assured that data and credentials cannot be compromised from the access devices. Examples of such access devices are ATMs, Aadhaar enrolment stations, and other POS terminals. In all such cases, one may require that a client terminal or a POS device must be able to prove at all times to the server, and also to any approved third party auditor, that it has not been tampered with and does only what it is supposed to do. It should also be able to provide such a proof to a discerning user.

6.2 Analysis of UIDAI Measures The security and privacy infrastructure of UIDAI has the following main features (UIDAI 2014): (i) There is 2048 bit PKI (Wikipedia 2016h) encryption of biometric data in transit and end-to-end encryption from enrolment/POS to CIDR. (ii) There are trusted network carriers (ASAs) between CIDR and AUAs. Effective precaution has been taken against denial of service (DOS) attacks. (iii) HMAC (Wikipedia 2016c) based tamper detection of PID (personal identity data) blocks, which encapsulate biometric EPWRF India Time Series Expansion of Banking Statistics Module (State-wise Data) The Economic and Political Weekly Research Foundation (EPWRF) has added state-wise data to the existing Banking Statistics module of its online India Time Series (ITS) database. State-wise and region-wise (north, north-east, east, central, west and south) time series data are provided for deposits, credit (sanction and utilisation), credit-deposit (CD) ratio, and number of bank offi ces and employees. Data on bank credit are given for a wide range of sectors and sub-sectors (occupation) such as agriculture, industry, transport operators, professional services, personal loans (housing, vehicle, education, etc), trade and fi nance. These state-wise data are also presented by bank group and by population group (rural, semi-urban, urban and metropolitan). The data series are available from December 1972; half-yearly basis till June 1989 and annual basis thereafter. These data have been sourced from the Reserve Bank of India’s publication, Basic Statistical Returns of Scheduled Commercial Banks in India. Including the Banking Statistics module, the EPWRF ITS has 16 modules covering a range of macroeconomic and fi nancial data on the Indian economy. For more details, visit www.epwrfi ts.in or e-mail to: its@epwrf.in SPECIAL ARTICLE Economic & Political Weekly EPW september 16, 2017 vol liI no 37 99 and other data at the fi eld devices, is one of the security features of the UIDAI infrastructure. (iv) There is registration and authentication of AUAs. (v) Within CIDR, only a SHA-n Hash (Wikipedia 2016i) of Aadhaar number is stored. (vi) Audit trails are stored SHA-n encrypted (Wikipedia 2016o), possibly also with HMAC (Wikipedia 2016c) based tamper detection. (vii) Only hashes of passwords and PINs are stored. Biometric data are stored in original form though. (viii) Authentication requests have unique session keys and HMAC (Wikipedia 2016c). There is protection against replay attacks. (ix) Resident data is stored using 100-way sharding (vertical partitioning) (Wikipedia 2016j). First two digits of Aadhaar number are used as shard keys. (x) All enrolment and update requests link to partitioned databases using RefIDs (coded indices). (xi) All system accesses, including administration, through a hardware security module (HSM) (Wikipedia 2016b) which maintains an audit trail. (xii) All analytics are carried out only on anonymised data. While these measures appear to be quite reasonable against external attacks, they may not be enough to forestall insider attacks. Though the safeguards adequately address the threat scenario, they are not adequate for the threat levels described in Section 6.1. For something as important as the national identity project, one will have to assume that the biggest security and privacy threats come from insider leaks. These include possible unauthorised and surreptitious examination of data, transaction records, logs and audit trails by personnel with access, leading to profi ling and surveillance of targeted groups and individuals, perhaps at the behest of interested and infl uential parties in the state machinery itself. Hence, one would ideally like to have provisions to guard against the threat levels described in Section 6.1. There are a number of apparent weaknesses in the system. Most of the security measures are based on cryptographic encryption techniques that require cryptographic keys to decode. Protection of these keys is of great importance, and it is necessary to have suitable measures to do so. Currently, we do not fi nd mention of any such measures, and we believe that assuming trust in this context is a signifi cant vulnerability. We do not believe that HSMs (Wikipedia 2016b), which are also under the administrative control of the same organisation, offer adequate protection against insider attacks for something as crucial as the national identity verifi cation and authentication system. There appears to be no well-defi ned and cryptographically sound approval procedure for data inspection, whether for investigation or for analytics. This makes the system extremely open to abuse. There appears to be no well-defi ned procedure for audit and approval of various UIDAI programs and software. In particular, one would like to be able to establish that the programs have not been tampered with and are doing precisely what they are supposed to do. There appears to be no proper tamper detection and runtime audit of the fi eld devices, including enrolment stations, to ensure that they are functioning true to specifi cations, and that there is no possibility of data leakage from the fi eld devices. Without such measures it will have to be assumed that leakage of data is always possible. Finally, we note that user biometric data are stored in the central repository, perhaps encrypted, but this still violates an important safeguard that we mentioned in Section 6.1 that user credentials should never be stored on the server. Unless there are some specifi c reasons to store the original biometric data, it may be safer to store only non-invertible intermediate representations which are suffi cient for matching (Tulyakov et al 2005; Dodis et al 2004). 6.3 Possible Measures against Insider Attacks Our starting point is that the environment in which the CIDR programs (code) are executed cannot be assumed to be trusted. One must address the possibility that the attacker has full access to the computer programmes that may be running on the UIDAI database. This may include both the source code and the runtime environment. How can one hope to secure such a system against insider attacks? We believe that two independent lines of defence are required: First, there has to be an independent third party that can play the roles of an online auditor and keeper of cryptographic keys; and second, several modern tools and techniques from computer science offer (partial) solutions to these problems. These need to be studied, evaluated and appropriately deployed. In what follows, we briefl y describe each of these. Note that although critical data and transaction logs are maintained encrypted within the UIDAI, the decryption keys are also stored in the UIDAI systems. Since the decryption must happen routinely, the computer programs running in the UIDAI systems must be able to access these keys. There is no reason to believe that these keys cannot be retrieved with the collusion of multiple parties within the UIDAI in which case the data may be illegally accessed. Distributed key management: At least a part of every crucial decryption key must remain with the third party, and a distributed key management protocol (Wikipedia 2016e) must be put in place. The third party must share the portion(s) of the key(s) it holds with a corresponding computer program in the CIDR at run-time, through a secure channel, only after authenticating the genuineness of the program using a secure certifi cate and verifying that the program has not been tampered with. Audit and approval of UIDAI programs: To enable the above, it will be necessary for the auditor to examine, approve and cryptographically sign every program that may run in the CIDR. Thereafter, these programs should periodically during run-time and on demand cryptographically prove to the auditor’s programs that they are genuine and have not been tampered with. SPECIAL ARTICLE 100 september 16, 2017 vol liI no 37 EPW Economic & Political Weekly Audit of data inspection: All data inspection, including those through special purpose programs for data analytics, should be digitally approved by the auditor. There has to be proper legal provisions for setting up such online third-party audit and key-management systems. Even with the above measures in place, the complete decryption keys will have to reside in the memory of the UIDAI computer systems at some point during the execution. A welltrained system administrator, with access to the hardware and the operating system, may still be able to access the decryption keys from the system’s memory. There are a variety of tools in computer science that may provide a defence against such attacks at the time of execution. We describe some of them below. Storing hash of biometric data: Since the Aadhaar database stores sensitive biometric data of individuals, a useful strategy to protect this data is to store only a non-invertible hash of biometric data, which converts a string representing biometric data to a nearly uniform random string which does not leak any information about the individual. Some techniques to achieve these are fuzzy extractor (Dodis et al 2004) and symmetric hashing (Tulyakov et al 2005). Tamper-proof code: A signifi cant cause of concern is that a malicious insider may be able to modify the code so that it behaves arbitrarily. Such attacks are dangerous not just in terms of denial of service but also because arbitrary behaviour may lead to leakage of secrets embedded in the code. Third-party audit will be required to set up the processes to ensure that the code is tamper free. The third-party auditors can rely on known practices in the formal verifi cation and validation literature (such as CFI, model checking, static code analysis, etc (Wikipedia 2016k) to realise sought countermeasures. Tamper-proof hardware: In addition to software solutions, tamper-resistant hardware may also be leveraged for protection of cryptographic keys or data. Trusted hardware may be leveraged to provide sought integrity and confi dentiality. Here again, setting up and the safe-keeping of the trusted hardware has to be entrusted to a third party organisation different from the UIDAI. For instance, Intel’s Software Guard Extensions (Costan and Devadas 2016) and its forerunners provide handy off-the-shelf solutions for trusted hardware. Secure multiparty computation: Another method to secure keys or other private inputs is offered by the fi eld of secure multiparty computation. Secure multiparty computation (Wikipedia 2016g) is a fi eld of cryptography that allows several mutually distrustful parties, each wishing to maintain privacy of their input data, to perform some computation on their joint data. This ensures that even if one server is hacked into, the data remains protected. Secure multiparty computation can be used to answer queries on the data distributed across servers. Homomorphic and functional encryption: Another security threat is the possibility of server breaches, whether the attack is launched from inside or outside the organisation. To prevent a server breach from leaking valuable user data, critical data needs to be stored on the server in an encrypted form. In order to perform analytics directly over encrypted data, one could resort to homomorphic and functional encryption techniques (Sahai and Waters 2005; Gentry 2009) or symmetric searchable encryption (Bellare et al 2007; Curtmola et al 2011). White-boxing and code obfuscation: Another useful class of defences against insider attacks comes from techniques developed in the area of white-box cryptography. Typically, one ass umes that attacks are black box, that is an attacker has access to the input and the output of a program, but not to the internal workings of the program. However, an insider may have full access to the source code and the binary fi le running on the system, and also the corresponding memory pages during execution. Additionally, the attacker can also possibly make use for debuggers and emulators, intercept system calls and, tamper with the binary and its execution. Such attacks are called white-box attacks, and white-box cryptography (Wyseur 2008) aims to implement cryptographic procedures in software that transform and obfuscate code and data in such a way so that the cryptographic assets remain secure even when subject to white-box attacks. 6.4 Securing Field Devices Finally, client access devices (or POS devices) can broadly be understood to have the same critical components that CIDR servers have: hardware (the device itself) and the application(s) running on the device. Solutions to secure client devices are no different than the solutions for servers that we discussed above. 7 Conclusions We have analysed the Aadhaar project from the points of view of privacy and security, and have pointed out some technical weaknesses and possible remedies. We summarise our analysis and key fi ndings in Table 1 (p 101). Thus, though there are serious privacy concerns at present, we believe that Aadhaar can be made safe from a technology perspective with due diligence. The legal framework, however, needs to be more specifi c and requires signifi cant strengthening. Perhaps the single-most important specifi c question that begs answering is who should have the right to verify the identity of an individual, and under what circumstances? Above all, we believe that the Aadhaar project requires informed and comprehensive policy debates, covering all angles, to realise its full effectiveness without causing the kind of privacy concerns and disruptions that have been reported. The effectiveness of biometric identifi cation and to what extent are the biometric features required are remaining important questions that require further study. SPECIAL ARTICLE Economic & Political Weekly EPW september 16, 2017 vol liI no 37 101 Table 1: Summary of Our Analysis and Recommendations Issue Shortcoming in UIDAI Measures Key Recommendations Authentication without consent • Biometric and demographic data are public; • Demarcate identity verification and authentication. hence, can be used without consent • Strengthen legal and policy frameworks See Sections 3 and 4 for details. Identification without consent • Unidirectional linking from AUA-specific • Unidirectional linking from Aadhaar id to AUA-specific IDs using Aadhaar number local IDs to Aadhaar ID • No guidelines on safe maintenance of • Cryptographically embed Aadhaar id into AUA-specific IDs Aadhaar numbers by AUAs. making correlation impossible • Vulnerable to correlation of identity across domains. See Section 5 for details. Unlawful access of CIDR data leading • Inadequate protection against insider • Separate administrative control for online audit and key management to profiling, tracking and surveillance attacks on CIDR data • Legal framework for the above • CIDR data encrypted but the decryption • Only hashes of biometric data must be stored on servers keys reside in CIDR • Manual inspection of CIDR data must not be possible • UIDAI human managers can have access • Only pre-approved and audited computer programs to decryption keys with tamper-proof guarantees should access CIDR data • All investigations and analyses only with prior audit and approval through pre-approved computer programs • Tamper-proof guarantees for field devices • Adopt modern tools from computer science to implement the above protections See Section 6 for details.

Note 1 We note that there is a notion of cancellable biometrics, but this is still in the research domain (Patel et al 2015; Tulyakov et al 2005) and may not yet integrate well with commercial matching software. References Akhtar, Zahid (2012): “Security of Multimodal Biometric Systems against Spoof Attacks,” PhD Diss, Department of Electrical and Electronic Engineering, University of Cagliari, https://pralab.diee. unica.it/sites/default/fi les/Akhtar_PhD2012.pdf. Arun, Chinmayi (2016): “Privacy Is a Fundamental Right,” Hindu, 18 March, http://www.thehindu. com/opinion/lead/lead-article-on-aadhaar-billby-chinmayi-arun-privacy-is-a-fundamentalright/article8366413.ece. Athey, Susan and Guido W Imbens (2015): “Machine Learning for Estimating Heretogeneous Casual Effects,” Working Paper No 3350, Stanford University, https://www.gsb.stanford.edu/facultyresearch/working-papers/machine-learningestimating-heretogeneous-casual-effects. Bellare, Mihir, Alexandra Boldyreva and Adam ONeill (2007): “Deterministic and Effi ciently Searchable Encryption,” Advances in Crypto logy– CRYPTO 2007, pp 535–52. Bhatia, Gautam (2015): “Sorry, Mr Attorney-General, We Do Actually Have a Constitutional Right to Privacy,” Wire, 28 July, https://thewire.in/ 7398/sorry-mr-attorney-general-we-do-actually-have-a-constitutional-right-to-privacy/. CIS (2016): “List of Recommendations on the Aadhaar Bill, 2016: Letter Submitted to the Members of Parliament,” Centre for Internet & Society, https://cis-india.org/internet-governance/blog/list-of-recommendations-on-theaadhaar-bill-2016. Costan, Victor and Srinivas Devadas (2016): “Intel SGX Explained,” IACR Cryptology ePrint Arc hive, 86, https://eprint.iacr.org/2016/086.pdf. Curtmola, Reza, Juan Garay, Seny Kamara and Rafail Ostrovsky (2011): “Searchable Symmetric Encryption: Improved Defi nitions and Effi cient Constructions,” Journal of Computer Security, Vol 19, No 5, pp 895–934. Diffi e, Whitfi eld and Martin E Hellman (1979): “Privacy and Authentication: An Introduction to Cryptography,” Proceedings of the IEEE, Vol 67, No 3, pp 397–427, http://ieeexplore.ieee.org/ stamp/stamp.jsp?arnumber=1455525. Dodis, Yevgeniy, Leonid Reyzin and Adam Smith (2004): “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data,” International Conference on the Theory and Applications of Cryptographic Techniques, Switzerland, Conference proceedings EUROCRYPT 2004, pp 523–40. Drèze, Jean (2016): “The Aadhaar Coup,” http:// www.thehindu.com/opinion/lead/jean-drezeon-aadhaar-mass-surveillance-data-collection /article8352912.ece. Duggal, Pavan (2011): “Does the UID Project Infringe on Privacy?,” http://www.business-stan dard. com/article/opinion/does-the-uid-project-infringe-on-privacy-111080300006_1.html. Einav, Liran and Jonathan D Levin (2013): “The Data Revolution and Economic Analysis,” Working Paper 19035, National Bureau of Economic Research, http://www.nber.org/papers /w19035. — (2014): “Econo mics in the Age of Big Data,” Science, Vol 346, No 6210, http://science.sciencemag.org/content/ 346/6210/1243089. Express News Service (2016): “Aadhar Bill Passed in Lok Sabha, Opposition Fears Surveillance,” Indian Express, 12 March, http://indianexpress. com/article/india/india-news-india/aadharcard-uid-bill-lok-sabha-arun-jaitley/. Gentry, Craig (2009): “Fully Homomorphic Encryption Using Ideal Lattices,” Proceedings of the Forty-fi rst Annual ACM Symposium on Theory of Computing (STOC 2009), pp 169–78. Houck, Max and Lucy Houck (2008): “What Is Touch DNA?,” Scientifi c American, http://www.scientifi camerican.com/article/experts-touch-dnajonbenet-ramsey/. Jayaram, Malavika (2015): “Aadhaar Debate: Privacy Is Not an Elitist Concern It’s the Only Way to Secure Equality,” Scroll.in, 15 August, http:// scroll.in/article/748043/aadhaar-debate-privacy-is-not-anelitist-concern-its-the-only-wayto-secure-equality. Jennifer McNabb, David Timmons, Jae Song and Carolyn Puckett (2009): “Uses of Administrative Data at the Social Security Administration,” Social Security Bulletin, Vol 69, No 1, https://www. ssa.gov/policy/docs/ssb/v69n1/v69 n1p75.html. Johari, Aarefa (2016): “In Drought-hit Saurashtra, Poor Internet Network Can Often Mean No Food Rations,” Scroll.in, 29 June, http://scroll. in/article/810683/in-drought-hit-saurashtrano-internetcan-often-mean-no-food-rations. Khera, Reetika (2011): “The UID Project and Welfare Schemes,” Economic & Political Weekly, Vol 46, No 9. — (2013): “Lessons from the East Godavari Pilot,” Hindu, 11 April, http://www.thehindu.com/ opinion/lead/lessons-from-the-east-godavaripilot/article4603273.ece. — (2015): “Five Myths about Aadhaar,” Outlook, 18 September, http://www.outlookindia.com/ website/story/fi ve-myths-about-aadhar/295364. — (2016): “Aadhaar-enabled Exclusion and Corruption,” Deccan Herald, 27 November, http:// www.deccanherald.com/content/583315/aadhaar-enabled-exclusion-corruption.html. Kleinberg, Jon, Jens Ludwig, Sendhil Mullainathan and Ziad Obermeyer (2015): “Prediction Policy Problems,” American Economic Review, Vol 105, No 5, pp 491–95, http://www.aeaweb.org/ articles?id=10.1257/aer.p20151023. Krishna, Gopal (2017): “Will Aadhaar Cause Death of Civil Rights?,” Business Today, 23 March, http:// www.businesstoday.in/magazine/columns/willaadhaar-cause-death-of-civil-rights/story/248331. html. Krishnamurthy, Rashmi and Kevin C Desouza (2014): “Big Data Analytics: The Case of Social Security Administration,” Information Policy, Vol 19, pp 165–78, http://ssrn.com/abstract =2757871. Kumar, Ashwani (2015): “Privacy, a Non-negotiable Right,” Hindu, 10 August, http://www.thehindu. com/opinion/lead/privacy-a-nonnegotiableright/article7519148.ece. Lok Sabha Secretariat (2011): “The National Identi- fi cation Authority of India Bill, 2010,” Standing Committee on Finance (2011–12), 42nd Report, Ministry of Planning, www.prsindia.org/uploads/media/UID/uid%20report.pdf. LSE (2005): “The Identity Project: An Assessment of the UK Identity Cards Bill and Its implications,” The London School of Economics and Political Science, http://eprints.lse.ac.uk/684/. Makkar, Sahil (2016): “Aadhaar Is Actually Surveillance Tech: Sunil Abraham,” Business Standard, available at Gyan Deep Near Firayalal, H. B. Road Ranchi 834 001 Jharkhand Ph: 0651-2205640 SPECIAL ARTICLE 102 september 16, 2017 vol liI no 37 EPW Economic & Political Weekly 12 March, http://www.business-standard.com/ article/opinion/aadhaar-is-actually-surveillancetech-sunil-abraham-116031200790_ 1.html. McNabb, Jennifer, David Timmons, Jae Song and Carolyn Puckett (2009): “Uses of Administrative Data at the Social Security Administration,” Social Security Bulletin, Vol 69, No 1, https:// www.ssa.gov/policy/docs/ssb/v69n1/v69n1p75. html. Masiero, Silvia (2015): “PDS Computerisation: What Other States Can Learn from Kerala,” Ideas for India, 6 July, http://www.ideasforindia.in/article.aspx?article_id=1474. McBride, Linden and Austin Nichols (2015): “Improved Poverty Targeting through Machine Learning: An Application to the USAID Poverty Assessment Tools,” Economics That Really Matters, http:// www.econthatmatters.com/wp-content/uploads/ 2015/01/improvedtargeting_21jan2015.pdf. Mehta, Pratap Bhanu (2017): “Big Brother Is Winning,” Indian Express, 8 February, http://indianexpress. com/article/opinion/columns/digitisationpower-of-state-surveillance-transparency- 4513022/. NDTV (2016a): “Truth v Hype: Aadhaar’s One Billion Challenge,” NDTV, 9 April, http://www.ndtv. com/video/news/truth-vs-hype/truth-vshype-aadhaar-s-one-billion-challenge-411279. — (2016b): “िजÛहɅराशन नहीं िमल रहा वो क्या करɅ,” NDTV, 16 July http://khabar.ndtv.com/video/ show/ndtv-special-ndtv-india/what-should-theydo-who-dont-get-ration-423998. Patel, V M, N K Ratha and R Chellappa (2015): “Cancelable Biometrics: A Review,” IEEE Signal Processing Magazine, Vol 32, No 5, pp 54–65. Planning Commission (2012): “Report of the Group of Experts on Privacy, Chaired by Justice A P Shah,” http://planningcommission.nic.in/reports/genrep/repprivacy.pdf. PTI (2015): “Right to Privacy Not a Fundamental Right, Cannot be Invoked to Scrap Aadhaar: Centre Tells Supreme Court,” Economic Times, 23 July, http://articleshttp://economictimes. indiatimes.com/news/politics-and-nation/ right-to-privacy-not-a-fundamental-right-cannot-be-invoked-to-scrap-aadhar-centre-tellssupreme-court/article show/48178526.cms. Ramanathan, Usha (2016): “Opinion: Data Is the New Gold and Aadhaar Is the Tool to Get It,” Scroll.in, 30 December, https://scroll.in/article /825049/data-is-the-new-gold-and-aadhaar-isthe-tool-to-get-it. Sahai, Amit and Brent Waters (2005): “Fuzzy Identity-Based Encryption,” Advances in Cryptology – EUROCRYPT 2005, pp 457–73. Somanchi, Anmol, Srujana Bej and Mrityunjay Pandey (2017): “Well done ABBA?,” Economic & Political Weekly, Vol 52, No 7. Scroll Staff (2016): “Jaitley Admits Right to Privacy but Brazens It Out on Money Bill Manoeuvre for Aadhaar,” Scroll.in, 16 March, http://scroll. in/article/805236/jaitley-admits-right-to-privacy-butbrazens-it-out-on-money-bill-manoeuvre-for-aadhar. SSA (2017): “New or Replacement Social Security Number and Card,” Social Security, Social Security Administration, https://www.ssa.gov/ssnumber/ Tulyakov, Sergey, Faisal Farooq and Venu Govindaraju (2005): “Symmetric Hash Functions for Fingerprint Minutiae,” Pattern Recognition and Image Analysis, pp 30–38. UIDAI (2011): “Aadhaar Security Policy & Framework for UIDAI Authentication,” (Version 1.0), http:// uidai.gov.in/images/authDoc/d34securitypolicyframeworkv1.pdf, accessed on 31 July 2016. — (2014): “Aadhaar Technology and Architecture: Principles, Design, Best Practices, & Key Lessons,” http://www.cse.iitd.ac.in/~suban/reports/UIDAI_REPORTS/AadhaarTechnologyArchitecture_ March2014.pdf, accessed on 31 July 2016. — (2016a): “Aadhaar Authentication Overview,” http://www.cse.iitd.ac.in/~suban/reports/ UIDAI_REPORTS/auth.pdf. — (2016b): “Operation Model,” https://authportal. uidai.gov.in/web/uidai/home-articles?url Title =operation-model&pageType=authentication, accessed on 2 August 2017. — (2017): “AUA Audit Compliance Checklist,” https: //authportal.uidai.gov.in/static/AUA%20Compliance%20Checklist.pdf, accessed on 2 August 2017. UN Global Pulse (2012): “Big Data for Development: Challenges and Opportunities,” http://www. unglobalpulse.org/sites/default/fi les/BigDataforDevelopment-UNGlobalPulseJune2012.pdf. Varian, Hal R (2014): “Big Data: New Tricks for Econo metrics,” Journal of Economic Perspectives, Vol 28, No 2, pp 3–28, http://www.aeaweb. org/articles?id=10.1257/jep.28.2.3. Vombatkere, Sudhir (2016): “How Aadhaar Negl ects Personal Privacy and National Security,” Mainstream, Vol LIV, No 13, http:// www.main streamweekly.net/article6283.html. Wikipedia (2016a): “Cryptographic Hash Function,” https://en.wikipedia.org/wiki/Cryptographic_ hash_function, accessed on 30 July 2016. —2016b): “Hardware Security Module,” https:// en.wikipedia.org/wiki/Hardware_security_ module, accessed on 30 July 2016. —(2016c): “Hash-based Message Authentication Code,” https://en.wikipedia.org/wiki/Hashbased_message_authentication_code, accessed on 30 July 2016. — (2016d): “Kerberos (Protocol),” https://en.wikipedia.org/wiki/Kerberos_(protocol), accessed on 30 July 2016. —(2016e): “Key Management,” https://en.wikipedia. org/wiki/Key_management, accessed on 30 July 2016. — (2016f): “Man-in-the-middle Attack,” https:// en.wikipedia.org/wiki/Man-in-the-middle_attack, accessed on 30 July 2016. — (2016g): “Secure Multi-party Computation,” https://en.wikipedia.org/wiki/Secure_multiparty_computation, accessed on 30 July 2016. — (2016h): “Public Key Infrastructure,” https:// en.wikipedia.org/wiki/Public_key_infrastructure, accessed on 30 July 2016. — (2016i): “Secure Hash Algorithm,” https:// en.wikipedia.org/wiki/Secure_Hash_Algorithms, accessed on 30 July 2016. — (2016j): “Shard (Database Architecture),” https:// en.wikipedia.org/wiki/Shard_(database_architecture), accessed on 30 July 2016. — (2016k): “Static Programme Analysis,” https:// en.wikipedia.Org/wiki/Static_program_analysis, accessed on 30 July 2016. — (2016o)” “Secure Hash Algorithms,” https:// en.wikipedia.org/wiki/Secure_Hash_Algorithms, accessed on 30 July 2016. Yadav, Anumeha (2016a): “Rajasthan Presses on with Aadhaar After Fingerprint Readers Fail: Well Buy Iris Scanners,” Scroll.in, 10 April, http://scroll.in/article/806243/rajasthan-presses-on-with-aadhaarafter-fi ngerprint-readersfail -well-buy-iris-scanners. — (2016b): “Rajasthan’s Living Dead: Thousands of Pensioners without Aadhaar or Bank Accounts Struck Off Lists,” 6 August, Scroll.in, http://scro ll.in/article/813132/rajasthans-living-dead-thousandsof-pensioners-withoutaadhaar-or-bank-accounts-struck-off-lists. Wyseur, Brecht (2009): “White-Box Cryptography,” Diss, Katholieke Universiteit Leuven, https:// www.esat.kuleuven.be/cosic/publications/ thesis-152.pdf. Zhong, Raymond (2016): “Is the Indian Government Saving as Much as It Says on Gas Subsidies?,” 21 March, https://blogs.wsj.com/indiarealtime/2016/03/21/is-the-indian-governmentsaving-as-much-as-it-says-on-gas-subsidies/. Journal Rank of EPW Economic and Political Weekly is indexed on Scopus, “the largest abstract and citation database of peer-reviewed literature,” which is prepared by Elsevier N V (bit.ly/2dxMFOh). Scopus has indexed research papers that have been published in EPW from 2008 onwards. The Scopus database journal ranks country-wise and journal-wise. It provides three broad sets of rankings: (i) Number of Citations, (ii) H-Index, and (iii) Scimago Journal and Country Rank. Presented below are EPW’s ranks in 2015 in India, Asia and globally, according to the total cites (3 years) indicator. ● Highest among 37 Indian social science journals and second highest among 187 social science journals ranked in Asia. ● Highest among 38 journals in the category, “Economics, Econometrics, and Finance” in the Asia region, and 37th among 881 journals globally. ● Highest among 23 journals in the category, “Sociology and Political Science” in the Asia region, and 17th among 951 journals globally. ● Between 2009 and 2015, EPW’s citations in three categories (“Economics, Econometrics, and Finance;” “Political Science and International Relations;” and “Sociology and Political Science”) were always in the second quartile of all citations recorded globally in the Scopus database. For a summary of statistics on EPW on Scopus, including of the other journal rank indicators please see (bit.ly/2dDDZmG). EPW consults referees from a database of 200+ academicians in different fields of the social sciences on papers that are published in the Special Article and Notes sections