In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Wednesday, March 14, 2018

12970 - The UIDAI needs to realize the harm sharing Aadhaar, PAN and other crucial data can cause to the system - First Post


Mar 13, 2018 18:17 PM IST

Time and again, whenever a security allegation is made against the Aadhaar ecosystem, the Unique Identification Authority of India (UIDAI) comes out with a standard response, the allegation in question is irrelevant to security, the Aadhaar ‘system’ (read biometric database) is completely secure, and, in certain cases, an FIR against the reporter. The latest security allegations against Aadhaar are in the form of French researcher Robert Baptiste (going by the alias Elliot Alderson), who claims to have found 20,000 Aadhaar cards publicly online, within a span of 3 hours.

The UIDAI’s response to this (a statement on Twitter which is being assumed to be in response to Baptiste’s allegations) is extremely worrying, stating that first of all, people should share Aadhaar freely, and second of all, that disclosure of not only Aadhaar numbers, but also PAN numbers, bank account numbers and passport, poses no threat to the security of the systems of which they are a part (See Tweet number 7/n). It appears that as per the UIDAI, the only data worth protecting, is biometric data, and the only thing that constitutes a threat to the ‘system’, any system, is a large-scale technical breach.

The UIDAI’s statement- Aadhaar is not confidential

The UIDAI’s Twitter statement on Aadhaar numbers is that it is ‘never to be treated as a confidential document’. It is to be shared openly and freely, as and when ‘required and asked for’. Further, Aadhaar numbers, like PAN, passport and other details are ‘ordinarily’ to be protected to ‘ensure privacy’.



UIDAI has dismissed the reports as irresponsible which appeared in a section of social and other media on security of Aadhaar system being questioned on account of a few Aadhaar cards reportedly put on the internet by some unscrupulous elements. 1/n

The remedy offered by the UIDAI for this is to sue the publisher of such details for civil damages for the infringement of privacy. Lastly, the statement says that the disclosure of numbers like PAN, Passport, Aadhaar and bank account numbers does not ‘impact or threaten the security of the banking, income tax or passport system’.

Disclosure of Aadhaar, PAN, and bank account numbers is extremely harmful

The UIDAI has always taken an extremely narrow stance on privacy, concerning itself only with biometric data. It has also betrayed an absolute lack of understanding of the risk that data disclosures pose to people in today’s world of cybercrime. This was seen, for instance, with The Tribune story, after which the UIDAI made a statement that the demographic data disclosed, like name, date of birth, address, PIN, photo, phone number, and e-mails cannot be misused. The UIDAI’s latest statement has now added Aadhaar, PAN, passport, and bank account numbers to this list of data, the disclosure of which is not harmful.

Consider a simple method of cybercrime today- account recovery mechanisms. This may be of the income tax website or a bank’s website. Consider the data that is normally needed to recover a password- PAN number, account number, date of birth, e-mail, and so on. A password is needed, sent either to an e-mail or via OTP. To give one example, passwords to an e-mail account can quite easily be found in the dark net (See this report on how a person’s e-mail account was hacked into within 36 hours using just their name).

OTPs have been extracted from people, whether through fraudulent phone calls or through duplicating SIM cards. Consider this report where the victim’s bank account was emptied after obtaining a duplicate sim, obtained via a fraudulent phone call made under the pretext of Aadhaar- Sim linking. Reports have similarly arisen on scams which are said to be related to Aadhaar linked bank accounts, and Aadhaar based UPI apps.

Aadhaar, PAN, bank account numbers are huge targets for cybercriminals
Each of these examples uses a combination of data to gain access to these systems, data which, as per the UIDAI, cannot impact or harm the system. This data- people’s name, address, e-mail, mobile numbers, and their Aadhaar, PAN, bank account and passport numbers form their most crucial data and is the biggest target of cybercriminals. The UIDAI offers biometrics as a solution, but note that firstly, not one of these example uses biometric data, and secondly, biometric authentication has made biometrics the next biggest target of cybercriminals.
Each new piece of data found on the internet adds to the umpteen databases on the darknet, leading to more and more detailed profiles of individuals. It is only a matter of time before biometrics are added to this, if they haven’t already been added. Moreover, cybercriminals and their techniques are becoming increasingly sophisticated. The rate at which new means of scamming people arise far exceeds the rate at which the crimes are discovered and stopped.

In such a situation, instead of treating this data with utmost confidentiality, the UIDAI has instead dismissed their value towards the security of various systems.

UIDAI contradicts its own statement on Aadhaar number confidentiality
The most surprising part of this statement is that the UIDAI has, in fact, contradicted its own statements and actions in the past with respect to protecting the Aadhaar number. Consider the Virtual ID system. Without going into the problems that the Virtual ID system in itself has, the whole purpose of Virtual ID is to protect the Aadhaar number; to prevent its disclosure.

The UIDAI, has also, in the past, advised people to be ‘very discreet’ with sharing their Aadhaar number. The same thing can also be seen looking at the Aadhaar Act and regulations themselves, where the publication of Aadhaar numbers is a punishable offence ( See Section 29 of the Aadhaar Act and Regulation 6 of the Aadhaar (Sharing of Information) Regulations).

In the past, the UIDAI has advised people to be very discreet about sharing their Aadhaar number. Getty.

A threat to the ‘system’
Further, a threat to the ‘system’, be it the Aadhaar system (not just the Aadhaar biometric database, but the Aadhaar ecosystem), the banking system or the income tax system, does not involve large-scale hacks only. Hacking even a single person’s account is a huge vulnerability and a threat to the system. One simple reason is that a cybercriminal who succeeds in gaining access to one person’s account through one method will definitely try the same method with other people’s accounts.
As The Tribune story revealed, an Aadhaar number alone can also cause harm to the Aadhaar system, since that was all that was needed to extract a person’s personal information. Even if the UIDAI has fixed this particular issue, more such vulnerabilities and loopholes will be found, again.

UIDAI says sue for civil damages
In the last part of its statement, the UIDAI suggests that people’s remedy for any data disclosed is to sue the publisher for civil damages for violation of privacy. The UIDAI’s statement, however, does not mention if any effort was made on the UIDAI’s part to investigate the reports (Baptiste’s or otherwise) before dismissing them as irresponsible. In the past, the UIDAI had similarly dismissed The Tribune story as misreporting, and then later went on to file the FIR.

People’s remedies under the law
The Aadhaar Act, it must be remembered, authorizes only the UIDAI to act against violations of the Aadhaar Act, including such publications of Aadhaar numbers (See Section 47 of the Aadhaar Act). The people have been given no power to act against it, beyond filing a grievance. Thus, people have no remedy under the Aadhaar Act.

People’s remedies are those provided under the Information Technology Act. Section 43A of this Act grants damages by way of compensation. However, for this, a wrongful loss has to be proved. This can be difficult, particularly when the effects of a loss of data are often felt much later, by way of a cybercrime. In fact, when a cybercrime occurs, it is often difficult to find out where the data used for the crime was sourced from. Another option is Section 72A, but this only penalizes a deliberate disclosure of data, made with the intent to harm a person, and in breach of contract.

The main issue with these remedies are, first of all, most people will not even know if their data was disclosed via such a publication. Secondly, even if they do know, most people will not be in a position to pursue a case in a court of law, unless the damage is significant. Add to this the UIDAI’s statements that the disclosure of this data will not harm the system, and people’s incentive to act against such disclosures reduces further.

UIDAI’s responsibility to act against violations
This is one of the reasons why the proposal of class action lawsuits under the Data Protection Framework is so welcome. With the inadequacy of current regulations, the solution, therefore, lies with penalizing the publisher and having the data removed. This power, however, lies only with the UIDAI, making its responsibility to act against such violations that much greater. Its reactions to reports, however, whether to the current allegations, The Tribune report, or the mAadhaar app flaw, however, in no way encourages such researchers to approach the UIDAI.

Such statements can send a wrong signal
The UIDAI has long since needed to take a much more responsible approach to privacy. Where the UIDAI should be advising people to treat such data with extreme caution, a statement like the current one can send a very wrong signal to the people. It needs to realize the cruciality of the data in its possession and work with the people to protect this data. Hopefully, the ongoing hearings in the Supreme Court will result in the required privacy obligations on the UIDAI, as well as greater rights to the people.


Published Date: Mar 13, 2018 15:48 PM | Updated Date: Mar 13, 2018 18:17 PM