In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Thursday, August 2, 2018

13810 - By Revealing His Aadhaar Number, the TRAI Chairman Has Opened a Can of Worms - the Wire


R.S. Sharma's challenge to hackers was irresponsible in more ways than one and showed how knowing an Aadhaar number can be a very useful starting point to dig up private information on anybody.

TRAI chairperson Ram Sewak Sharma. Credit: Facebook/Ram Sewak Sharma


30/JUL/2018

On Saturday night, in response to technology developer Kingsly John, the TRAI chairman R.S. Sharma published his Aadhaar number, challenging John to give one concrete example of harm that could be done to him.

Following the tweet, users on Twitter were able to dig up the TRAI chairman’s mobile number(s), Gmail and Yahoo addresses, physical address, date of birth, and even the frequent flyer number which is believed to be a response to the security question for changing Sharma’s Gmail password. Multiple bank account numbers have been made public, although one security researcher said that his Aadhaar hasn’t been linked to his bank account, although the chairman contested that. Using his mobile number, his WhatsApp photo (which also had someone who is possibly his daughter) was also made public (but with the woman’s photo cropped out by revealer). They’ve also been able to identify that he uses an iPhone, and sent him money using UPI payments.

Update: Apparently someone has ordered a OnePlus 6 for the chairman, via Amazon, cash on delivery.

Why this is an important development
To understand the importance of this public experiment, we need to understand the importance of the man himself: R.S. Sharma was previously the founding CEO of the UIDAI, which issues Aadhaar numbers. The now TRAI chairman understands technology, has weighed in repeatedly on privacy and security issues, defending Aadhaar. Under his watch, the TRAI even did a privacy consultation, which isn’t a part of the TRAI’s remit, and has sought to expand its jurisdiction beyond telecom to the Internet, even though the TRAI Act limits the regulators actions to telecom alone. The privacy recommendations suggest Privacy by Design. There are rumours that Sharma might be in line to become the first head of India’s Data Protection Authority, if and when that is set up.

This is thus, by no means, a small development. RS Sharma is an important man. Publishing Aadhaar numbers is illegal.

Some comments on this disclosure and the response to it

1. The disclosure will be used to suggest that leaking Aadhaar numbers does no harm: If no harm comes to  Sharma because of this – and I hope it won’t – it will be used as an example to justify the fact that publishing of Aadhaar number in public does not do any harm.

That speaks to the privilege enjoys as a senior government functionary, a technologist, and a man.

Understanding technology means that R.S. Sharma would possibly know how to keep his accounts more secure, and might even have two-factor authentication for his email when most people may not. R.S. Sharma has easier access to law enforcement, banks and mobile operators, as well as understanding how they are supposed to work, and access to people who can make them work swiftly for him. Him being harmed would make the front pages of newspapers, and the case could possibly get greater attention and scrutiny, and hence swifter justice.

It’s not clear what R.S. Sharma deems as harm, but harm for him might be money being moved out of his bank account. Well, that and more has been done using Aadhaar: here’s a list of over 100 instances of Aadhaar related fraud.

As Karthik S. said on Twitter, “What’s ‘harm’ to a 25 yr old working woman professional, or a 70 yr old pensioner may not be ‘harm’ to you.”

Doxing is a well known attack vector. To cite Wikipedia on doxing,

“Once people have been exposed through doxing, they may be targeted for harassment through methods such as harassment in person, fake signups for mail and pizza deliveries, or through swatting (dispatching armed police to your house through spoofed tips)”…”The victim may also be shown their details as proof that they have been doxed in order to intimidate. The perpetrator may use this fear and intimidation to gain power over the victim in order to extort or coerce.”

For someone else it could mean monitoring of communications to determine when there’s no one at home, and robbing the house. For a woman, it could mean someone stalking her, and landing up at her house. Being a man means that Sharma won’t ever fully understand or appreciate the insecurity that women feel while living in and traveling in our cities. For someone else, it could mean a stranger gaining access to her email and publishing personal communication. For a business, it could mean revealing of trade secrets from an email account.
The Aadhaar number being made public can be a very useful starting point because of the information it can lead to, as has been demonstrated from the disclosures related to RS Sharma.

2. The disclosure will be used to say that Aadhaar is not necessary for profiling: Essentially, because Sharma is a public personality, it was easier to build a profile for him, pulling out information from current and old government records. Thus, there can be an assertion that Aadhaar is not necessary to build profiles. This ignores the fact that not everyone’s mobile number is publicly available, and profiling can only be done once an identifier is known and linked to multiple activities. Data science has evolved largely to solve this exact problem: People are more secure when there are silos, and companies, hackers, advertisers and many others seek means of breaking down those silos.

It’s why the more evolved and aware technology users use multiple email addresses, each for different purposes. Aadhaar (for government) and the usage of a mobile number (for businesses) as an identifier removes such silos, enables more accurate profiling. This is why this information needs to be treated as sensitive personal data, thus limiting its usage and sharing.

3. It will be used to say that there’s a lot of information about individuals available online, so privacy is a myth: Apart from the fact that usage of different identifiers enables privacy, not everything about everyone is public. We might have medical reports in our inboxes, or linked to our mobile number with some pathology lab that we don’t want published publicly.
Not everything is easily connected either. Often it is the combination of information that can be used to compromise people.
An example of this danger is that once Sharma’s mobile number, email address and date of birth were gleaned, it was used to get his frequent flyer number via an Air India chat-bot. That frequent flyer number is not public, but it is important because that’s the response to his security question for changing his gmail password. A hacker could have changed the TRAI chairman’s email password and gained access to it.
Many government officials use gmail for official work. Uncertainty about the security of our communications chills speech and greatly impacts our behavior and trust of the tools that we use.

4. Harm need not be demonstrated now: Much of the information that has been revealed about Sharma is permanent – it is not clear how soon any harm may come to him because all of these details have been made public. If that does happen – and I sincerely hope it doesn’t – it might not be easy to attribute it to this specific case. The point here is that it’s difficult to always link harm back to a loss of personal data.
Kingsly John publicly sought legal opinion, beyond R.S. Sharma’s assurance that no action will be taken against him if he can demonstrate how R.S. Sharma can be harmed. Rest assured, if it wasn’t a person with the privilege that R.S. Sharma enjoys, and if Kingsly John wasn’t a responsible person, this wouldn’t have happened. They would have just compromised him, just as easily as they could have compromised his gmail address, and never told him.
R.S. Sharma remains susceptible to attacks even now.

5. This is dangerous and not very responsible, perhaps even not legal: In response to the TRAI chairman’s tweet, I’ve seen instances of few people publishing their Aadhaar numbers online, challenging others to compromise their privacy. That is a risk that they are taking, but this is poor form from the TRAI chairman: he may be protected by his privilege, but his actions have directly emboldened other people to foolishly risk compromising their own security.
Srikrishna Committee recommendations treat the Aadhaar number as sensitive personal data, and the Aadhaar Act says that it is illegal to publish Aadhaar numbers. It’s possible that the TRAI chairman has done something illegal by publishing his own Aadhaar number publicly, and also that this act is encouraging illegal activity when others do the same, following in his footsteps.
The TRAI chairman should have been more responsible and cognisant of the possible outcome of his actions, even though he not directly accountable for others publishing their Aadhaar numbers. Even after so much personal information has been revealed about him, he is brushing that aside and asking people to prove harm. He is normalising leaking of sensitive personal data.
This was not very thoughtful of him and his bravado is misplaced and dangerous.

Note: We are not linking to any tweets which detail R.S. Sharma’s personal information even though these are public, in his interest.


This article originally appeared on Medianama. You can read the original article here.