By ANAND VENKATANARAYANAN JUNE 21, 2018 5:42 PM
India’s controversial digital identity system, Aadhaar, is in the process of rolling out Virtual Identity Aadhaar (VID) in an effort to assuage privacy concerns, as referenced in the first circular put out on January 8.
Before delving into the specifics, what exactly are those privacy concerns? It is important to know what they are in order to evaluate the VID solution and how it assuages those concerns.
Why is an Aadhaar number sensitive, unlike a driver’s license number or a voter ID card number? Because it is used for authentication to avail services, while other ID numbers are not. Hence its leakage compromises both the privacy and the security of the resident. Further, the ubiquitous seeding of the same number across multiple databases allows states and private parties to create a 360-degree profile of an individual, as argued in the Supreme Court case on Aadhaar.
The Unique Identification Authority of India (UIDAI), however, has denied that these concerns exist, even in theory. It has argued this in the Supreme Court. But, paradoxically, it now is making an attempt to fix these concerns, which proves they in fact do exist.
The circular by UIDAI divides the authentication user agencies into global and local AUAs and mandates that local AUAs must use VIDs henceforth. Further, another circular classified telecoms, payment banks, wallets, insurers, digital lockers and eSign providers as local AUAs (should use VIDs) and everyone else as global AUAs (can use Universal IDs or VIDs).
Entities that have Aadhaar data
There are a total of 326 e-KYC (electronic know-your-customer) user agencies (KUAs) and 254 AUAs that have access to Aadhaar numbers. The UIDAI has further indicated in a Right to Information (RTI) reply to GoNews that it does not know or won’t tell if there are other entities that have access to Aadhaar numbers. The leak list maintained on the Medianama site lends credence to the view that the authority does not know who else apart from these entities has access to the Aadhaar numbers.
If the authority does not even know the entities that have Aadhaar data in their database, how can it ensure their deletion and move toward VIDs?
It is also very unclear on entities that have Aadhaar data and over which the authority has notional jurisdiction, what is the data that they hold (for instance states and AUAs), and what they should alter or delete, and how. For instance, the Department of Telecommunications in a circular to telecom companies instructed them to replace the Aadhaar numbers with UID tokens, without outlining how this process would be achieved.
Consider the plight of telecom subscribers who have already linked their Aadhaar number to their mobile-phone accounts. Will they now be forced to give their VID to telecom companies, under further threat of disconnection, to ensure their own privacy? And even if they are forced to do so, what prevents the telecom companies from creating a cheat sheet of the old UIDs and the new VIDs?
Therefore, the natural conclusion is that only new users who do an e-KYC authentication to get SIM cards will use VIDs. But how will they know how to generate their virtual IDs?
The default VID
The latest enrollment software, by default, not only generates a virtual ID but also prints them on every Aadhaar letter. This breaks the assertion that UIDAI made in its January 2018 circular that “it is not possible to derive an Aadhaar number from a VID.”
Further, even the UIDAI-friendly State of Aadhaar report has reiterated what is already well known. The most common use of Aadhaar is its paper form. Given that paper cards are used as peanut wrappers, are found in wells by the thousands, are sold to scrap dealers and abandoned in dumps, this allows anyone to register the mapping of a virtual ID to an Aadhaar number.
But why would UIDAI choose this design of printing a default VID on physical cards, when there are alternatives to generate a VID such as the resident portal and the easy-to-hack mAadhaar mobile application?
The clue lies in the list of local authentication user agencies (AUAs), all of which have ambitions to enter the digital lending market, which Aadhaar is promising because of the digital trail it generates when used everywhere. Given that the population it intends to target is mostly digitally illiterate, UIDAI chose the shortcut of generating a default VID, even without them wanting to, knowing very well they will not change it.
While it is possible for the digitally literate population to generate one more VID to revoke the default VID, even this can only be done after a minimum period set by UIDAI. This in effect reduces the privacy value of VIDs further.
Do unique tokens really work?
One of the concerns that were raised by Supreme Court Justice Dhananjaya Chandrachud on using Aadhaar everywhere was about commercial surveillance by private entities. In theory, VIDs being unique and revocable, these entities will not be able to do the same. However, this defeats the business models of digital lending and financial-technology companies, which need to know if the same person has availed two different loans, using two different VIDs.
They could easily do that by matching demographic information and permanent account numbers (PANs). However, the target population, to whom they intend to provide loans and services, do not even earn enough to come within the ambit of income tax, and hence will not have a PAN, which makes deduplication slightly harder.
Hence every local AUA who is mandated to use VIDs gets the same “token” as described by the Aadhaar authority, which remains constant, for multiple VIDs of the same UID.
This is functionally similar to using the same UID as before and incentivizes AUAs and KUAs to become bigger, as it enables large-scale commercial surveillance more viable.
Conclusion
The primary concern of using the same Aadhaar number everywhere and the numerous leaks is that it compromises biometric authentication. VID was only a viable solution for this problem if it had been rolled out in 2010. But in 2018, every database is already seeded with the Aadhaar numbers across all public and private entities, rendering this move completely meaningless.
The current circulars, however, do not make “VID only” the primary authenticator and instead take a differentiated model between public and private entities. Now most entities still use UIDs for authentication, and only some use VIDs. Further, extraneous considerations have forced UIDAI to publish the VID, defeating safe authentication using VIDs entirely.
Using Aadhaar numbers everywhere also created a surveillance problem for the government and private entities. The classification of global AUAs was specifically created to avoid dealing with the government-surveillance issue, while the same UID token per local AUA ensured commercial surveillance through consolidation and collusion.
In effect, the virtual ID feature is just an attempt to save Section 57 of the Aadhaar Act, which allows unlimited use of Aadhaar by private parties, through technological obfuscation, completely bypassing the core privacy concerns.
Asia Times is not responsible for the opinions, facts or any media content presented by contributors. In case of abuse, click here to report.
INDIA OPINION AADHAAR UIDAI VID TOKEN PRIVACY CYBERSECURITY DIGITAL IDENTITY STATE OF AADHAAR UIDAI CEO
Anand Venkatanarayanan is an independent security researcher who focuses on India's digital identity project called Aadhaar. He tweets as @iam_anandv
Comments
3 Comments
Sort by Oldest
Add a comment...
VID is obviously printed cause not everyone is saavy enough to generate their own VID. Once the entire authentication system shifts to VID, then only VID will be used. I don't understand where is the problem in this? Obviously the existing UID numbers can't be convereted into VID by just anyone as the mapping from UID to VID is not a constant. Take a bunch of new UID and corrspodning VID and try to derive the mapping yourself- you can't !
please report this article
Like · Reply · 4d
A supporter of fs0c131y .
Like · Reply · 4d
More on this topic
|
India’s response to UN’s Kashmir report is distasteful, erroneous
By ANGSHUMAN CHOUDHURY JUNE 21, 2018 4:21 PM (UTC+8)
- 0
- 0
When the UN Office of the High Commissioner for Human Rights (OHCHR) released its first-ever report on Kashmir on June 14, India went into fierce denial. Its Ministry of External Affairs (MEA) released a sharply worded rebuttal the same day, accusing the 49-page report of building a “false narrative” and violating India’s sovereignty and territorial integrity.
It is understandable that New Delhi, in a tight spot, had to respond before the international community drew any hasty conclusions. But the MEA response shows nothing except taking blunt offense and boiling the entire issue down to only “terrorism.”
Must-reads from across Asia - directly to your inbox
Is the report actually biased?
A cursory reading of the report shows that the OHCHR focused on India’s alleged excesses in Kashmir much more than Pakistan’s. Even the section on human-rights abuses by “armed groups” runs just a little over three pages.
|
The key question here is, why did the authors do so? The report, in its methodology section, explains that the degree of access for neutral observers in conflict zones, including OHCHR, is greater in India than in Pakistan. Contrary to the MEA’s perception, this speaks well of India and thus strengthens its case on Kashmir.
In its response, the MEA said “the authors have conveniently ignored the pattern of cross-border terrorism emanating from Pakistan and territories under its illegal control.”
On the contrary, however, the report pointedly talks about not just cross-border terrorism in Kashmir, but also the direct support that the Pakistani state provides to such disruptive entities. Clauses 5 and 135 refer precisely to this, while also pointing out that the prominent cross-border militant entities in Kashmir are all proscribed by the United Nations Security Council under the “ISIL (Daesh) and al-Qaeda Sanctions List.”
The MEA also argued that the report deliberately ignored India’s legal and constitutional safeguards on fundamental rights and freedoms for its citizens, including those living in Jammu and Kashmir state. It is unclear how it arrived at this conclusion, as it is inconsistent with the report.
In several sections, the report refers to India’s court rulings and institutional directives to make the case for human-rights abuse. For example, Point 73 talks about a 2017 Supreme Court order “that made filing of First Information Reports (FIRs) by police officials and a magisterial inquiry mandatory in every “encounter killing” in context of security forces relying on internal inquiries rather than civilian investigations.
Point 82 is another example, which talks about an Indian Supreme Court observation that asked for immediate assurances from authorities “that pellet shotguns would not be used indiscriminately.” This was made during a hearing on a petition filed by the Jammu and Kashmir High Court Bar Association in 2016 demanding a repeal of pellet guns.
The report also cites outcomes of the Right to Information Act, which gives every Indian citizen the power to request specific information about state practice and policies from the government of the day. Clause 88 of the report explained how an RTI application revealed that “over 1,000 people were detained under the Jammu and Kashmir Public Safety Act between March 2016 and August 2017” and how these detentions operated on arbitrary procedures.
The report also made several references to J&K’s “active civil society” (as the MEA put it) in context of alleged excesses. Clause 126 mentioned a petition filed by the “Support Group for Justice for Kunan Poshpora Survivors” before the State Human Rights Commission in February 2018. The group had reportedly “provided the Commission with documentation in 143 cases of alleged sexual violence committed between 1989 and 2017.” There were several such references to civil society in action.
Contrary to the MEA’s assertion that the report ignored the role of India’s “free and vibrant” media, Clause 111 narrated how the J&K police raided the offices of three prominent newspapers in the Kashmir Valley in July 2016 and barred them from publishing for three days.
Instead of lashing out at the OHCHR for using rhetoric, the MEA could have built a serious, comprehensive defense through a substantive dissection of the report and the exact machinations behind its production.
For example, the OHCHR’s “remote monitoring” methodology and the selective sourcing of events, perceptions, and outcomes render the report’s conclusions problematic. The MEA could have highlighted this, while also unilaterally outlining the specific human-rights safeguards that India offers to its citizens, including those in J&K.
Most of all, it could have expressed some willingness at least to look into the allegations made, if not acknowledge them.
Instead, the MEA chose to accuse the OHCHR of falling prey to “individual prejudices.” But what good is an accusation without evidence? Barring some out-of-context precedents from the past, there is nothing irrefutable to suggest any personal prejudice by the High Commissioner or his staff in this particular case.
India and Myanmar in the same boat
Interestingly, India’s response to the report bears striking similarities to Myanmar’s repeated denials of UN reports and statements on the Rohingya crisis in Northern Rakhine.
For example, both have distilled multivariate issues – Kashmir and Rakhine – down to a single variable, that is, “terrorism.” There is also scant emphasis on human rights in both narratives. Implicit in this is an unfortunate reality of contemporary state-building: Human rights are relegated to the lowest rung of priorities, while “national security” is amplified as the sole pillar of state sovereignty.
Both countries also insist that the UN’s narrative is based on “unverified information,” but refuse to provide independent investigators access to the core conflict zones. This creates space for vague assessments and overreaching presumptions on both sides. One wonders how the MEA expects the UN to verify its information unless the government provides unfettered access to the disturbed zones.
Arguably, the UN human-rights regime is not foolproof or politically agnostic. It has major structural inefficiencies and a track record that speaks of selective coverage. But the institution itself stands for certain universal principles – human rights, proportionality, and accountability in conflict situations – that most nations, including India, have duly acknowledged through various means.
Within this global consensus, India’s response to the OHCHR report on Kashmir reads like a distasteful outlier. It only negates India’s stated commitment to the principle of human rights as an integral component of democratic state-building.
This is, at the very least, unbecoming of a responsible UN member state that is also a signatory to several international rights-oriented instruments. That said, the Indian government still has time to reverse this by issuing a detailed response that takes into account all variables and realities in the restive Kashmir Valley.
Asia Times is not responsible for the opinions, facts or any media content presented by contributors. In case of abuse, click here to report.
INDIA KASHMIR CONFLICT JAMMU AND KASHMIR OHCHR KASHMIR HUMAN RIGHTS ABUSES OHCHR ON KASHMIR NARENDRA MODI UNITED NATIONS MYANMAR INDIA MINISTRY OF EXTERNAL AFFAIRS ENCOUNTER KILLINGS HUMAN RIGHTS
Angshuman Choudhury is a New Delhi-based policy analyst, currently coordinating the Southeast Asia Research Program at the Institute of Peace and Conflict Studies (IPCS), New Delhi
Comments
7 Comments
Sort by Oldest
Add a comment...
The truth is the UN as a whole is a fetid political mud-pit and these "reports" are frankly meaningless and irrelevant.
A studied reply would have been given had it actually been worth refuting- this reply indicates that the Indian Govt has brushed it off.
The irony is also that the UNHRC contains Saudi Arabia, China, Russia, Cuba, Venezuela and others who are supposed to "judge" India's actions. A bigger farce couldn't be engineered even if it was designed.
we should have put the HUman Rights comission people in a CRPF jeep and given them a tour of the streets of kashmir. i am sure once they encountered the stone pelting mob descending on you like rabid dogs and waving pakistan/ISIS flags things would have looked completely different to them .
Like · Reply · 4d
Kashmir is the English vexing finger up Indian behind for ever, a punishment for asking for freedom.
Departing Raj could have solved Kashmir but intentionally chose not to. Divide and Rule, then Divide and Leave. English specialty par excellence. They divided India (Ireland, ME) to perpetuate their influence. Dimwit Indians and Pakistanis do not know that they have been had.
Kashmir will always keep India pre-occupied with security, and poor. Those with internal conflict only think of survival, not of growth.
At least Pakistan via a civil war is solving its internal problems and building b...See More
Like · Reply · 3d
Kashmiri are religious fanatics and they throwaway all hindus from valley. same should be done once again but reverse to regain balance..
Like · Reply · 3d
Writer is more interested in playing dirty politics to establish himself as sickular journalist
Load 2 more comments
CONTINUE READING
You May Also Like
Peace dialog possible trigger for Kashmir editor’s assassination
Sikhs, Christians detained in US say they faced ‘religious persecution’ in India
Asylum seeker told homeland may be better for kids
More on this topic
We use cookies to collect statistical data anonymously and ensure that we give you the best experience on our website. By continuing to use this website, we will assume that you consent to it.OK
RBP
|
Bright and spacious 2 bedroom apartment
Orpington Street, Ashfield
|
|
|
|
|
|
1 HOUR AGO
3 HOURS AGO
5 HOURS AGO
Must-reads from across Asia - directly to your inbox
16 HOURS AGO
17 HOURS AGO
17 HOURS AGO
THE BRIEF
MAINLATEST
25-06-2018 21:08
Italy’s far-right League party seizes left-wing strongholds (Asia Times Staff)
25-06-2018 20:26
China’s central bank acts to ease economic pain (Asia Times Staff)
|
Bright and spacious 2 bedroom apartment
Orpington Street, Ashfield
Learn More
|
|
|
25-06-2018 18:54
25-06-2018 18:04
Commercial adoption of blockchain still ‘3 to 5 years’ away (Asia Times Staff)
25-06-2018 17:57
25-06-2018 17:28
When passports were issued to a Hindu-Muslim couple after they complained of harassment, India's foreign minister was subjected to vile online abuse and threats. (Aritry Das)
25-06-2018 17:27
25-06-2018 17:10
25-06-2018 16:47
The 'People's DGP', Rupin Sharma, attracted flak for taking on corruption and was removed from the position on the grounds of 'inexperience'. (Kriti Singh)
25-06-2018 16:13
Icebreaker technology linked to China’s future nuclear carrier (Asia Times Staff)
25-06-2018 16:06
25-06-2018 14:42
25-06-2018 13:19
25-06-2018 12:44
25-06-2018 12:01
25-06-2018 11:55
25-06-2018 11:38
25-06-2018 05:08
No drop in demand for Thai real estate (Asia Times Staff)
25-06-2018 04:55
Central bank offers reserve boost to small business (Asia Times Staff)
25-06-2018 04:47
OBOR survey points to currency bias (Asia Times Staff)
24-06-2018 17:02
24-06-2018 14:57
24-06-2018 14:28
24-06-2018 13:35
24-06-2018 12:01
24-06-2018 11:46
23-06-2018 17:41
23-06-2018 16:04
23-06-2018 14:51
23-06-2018 14:47
India’s digital identity platform obfuscates privacy concerns again
By ANAND VENKATANARAYANAN JUNE 21, 2018 5:42 PM (UTC+8)
- 0
- 0
India’s controversial digital identity system, Aadhaar, is in the process of rolling out Virtual Identity Aadhaar (VID) in an effort to assuage privacy concerns, as referenced in the first circular put out on January 8. Before delving into the specifics, what exactly are those privacy concerns? It is important to know what they are in order to evaluate the VID solution and how it assuages those concerns.
Why is an Aadhaar number sensitive, unlike a driver’s license number or a voter ID card number? Because it is used for authentication to avail services, while other ID numbers are not. Hence its leakage compromises both the privacy and the security of the resident. Further, the ubiquitous seeding of the same number across multiple databases allows states and private parties to create a 360-degree profile of an individual, as argued in the Supreme Court case on Aadhaar.
Must-reads from across Asia - directly to your inbox
The Unique Identification Authority of India (UIDAI), however, has denied that these concerns exist, even in theory. It has argued this in the Supreme Court. But, paradoxically, it now is making an attempt to fix these concerns, which proves they in fact do exist.
|
|
Entities that have Aadhaar data
The circular by UIDAI divides the authentication user agencies into global and local AUAs and mandates that local AUAs must use VIDs henceforth. Further, another circular classified telecoms, payment banks, wallets, insurers, digital lockers and eSign providers as local AUAs (should use VIDs) and everyone else as global AUAs (can use Universal IDs or VIDs).
There are a total of 326 e-KYC (electronic know-your-customer) user agencies (KUAs) and 254 AUAs that have access to Aadhaar numbers. The UIDAI has further indicated in a Right to Information (RTI) reply to GoNews that it does not know or won’t tell if there are other entities that have access to Aadhaar numbers. The leak list maintained on the Medianama site lends credence to the view that the authority does not know who else apart from these entities has access to the Aadhaar numbers.
Aadhaar logo. Photo: Wikipedia
If the authority does not even know the entities that have Aadhaar data in their database, how can it ensure their deletion and move toward VIDs?
It is also very unclear on entities that have Aadhaar data and over which the authority has notional jurisdiction, what is the data that they hold (for instance states and AUAs), and what they should alter or delete, and how. For instance, the Department of Telecommunications in a circular to telecom companies instructed them to replace the Aadhaar numbers with UID tokens, without outlining how this process would be achieved.
Consider the plight of telecom subscribers who have already linked their Aadhaar number to their mobile-phone accounts. Will they now be forced to give their VID to telecom companies, under further threat of disconnection, to ensure their own privacy? And even if they are forced to do so, what prevents the telecom companies from creating a cheat sheet of the old UIDs and the new VIDs?
Therefore, the natural conclusion is that only new users who do an e-KYC authentication to get SIM cards will use VIDs. But how will they know how to generate their virtual IDs?
The default VID
The latest enrollment software, by default, not only generates a virtual ID but also prints them on every Aadhaar letter. This breaks the assertion that UIDAI made in its January 2018 circular that “it is not possible to derive an Aadhaar number from a VID.”
Further, even the UIDAI-friendly State of Aadhaar report has reiterated what is already well known. The most common use of Aadhaar is its paper form. Given that paper cards are used as peanut wrappers, are found in wells by the thousands, are sold to scrap dealers and abandoned in dumps, this allows anyone to register the mapping of a virtual ID to an Aadhaar number.
But why would UIDAI choose this design of printing a default VID on physical cards, when there are alternatives to generate a VID such as the resident portal and the easy-to-hack mAadhaar mobile application?
The clue lies in the list of local authentication user agencies (AUAs), all of which have ambitions to enter the digital lending market, which Aadhaar is promising because of the digital trail it generates when used everywhere. Given that the population it intends to target is mostly digitally illiterate, UIDAI chose the shortcut of generating a default VID, even without them wanting to, knowing very well they will not change it.
While it is possible for the digitally literate population to generate one more VID to revoke the default VID, even this can only be done after a minimum period set by UIDAI. This in effect reduces the privacy value of VIDs further.
Do unique tokens really work?
One of the concerns that were raised by Supreme Court Justice Dhananjaya Chandrachud on using Aadhaar everywhere was about commercial surveillance by private entities. In theory, VIDs being unique and revocable, these entities will not be able to do the same. However, this defeats the business models of digital lending and financial-technology companies, which need to know if the same person has availed two different loans, using two different VIDs.
They could easily do that by matching demographic information and permanent account numbers (PANs). However, the target population, to whom they intend to provide loans and services, do not even earn enough to come within the ambit of income tax, and hence will not have a PAN, which makes deduplication slightly harder.
Hence every local AUA who is mandated to use VIDs gets the same “token” as described by the Aadhaar authority, which remains constant, for multiple VIDs of the same UID.
This is functionally similar to using the same UID as before and incentivizes AUAs and KUAs to become bigger, as it enables large-scale commercial surveillance more viable.
Conclusion
The primary concern of using the same Aadhaar number everywhere and the numerous leaks is that it compromises biometric authentication. VID was only a viable solution for this problem if it had been rolled out in 2010. But in 2018, every database is already seeded with the Aadhaar numbers across all public and private entities, rendering this move completely meaningless.
The current circulars, however, do not make “VID only” the primary authenticator and instead take a differentiated model between public and private entities. Now most entities still use UIDs for authentication, and only some use VIDs. Further, extraneous considerations have forced UIDAI to publish the VID, defeating safe authentication using VIDs entirely.
Using Aadhaar numbers everywhere also created a surveillance problem for the government and private entities. The classification of global AUAs was specifically created to avoid dealing with the government-surveillance issue, while the same UID token per local AUA ensured commercial surveillance through consolidation and collusion.
In effect, the virtual ID feature is just an attempt to save Section 57 of the Aadhaar Act, which allows unlimited use of Aadhaar by private parties, through technological obfuscation, completely bypassing the core privacy concerns.
Asia Times is not responsible for the opinions, facts or any media content presented by contributors. In case of abuse, click here to report.
INDIA OPINION AADHAAR UIDAI VID TOKEN PRIVACY CYBERSECURITY DIGITAL IDENTITY STATE OF AADHAAR UIDAI CEO
Anand Venkatanarayanan is an independent security researcher who focuses on India's digital identity project called Aadhaar. He tweets as @iam_anandv
Comments
3 Comments
Sort by Oldest
Add a comment...
VID is obviously printed cause not everyone is saavy enough to generate their own VID. Once the entire authentication system shifts to VID, then only VID will be used. I don't understand where is the problem in this? Obviously the existing UID numbers can't be convereted into VID by just anyone as the mapping from UID to VID is not a constant. Take a bunch of new UID and corrspodning VID and try to derive the mapping yourself- you can't !
