In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Saturday, September 15, 2018

13890 - Fingerprints, Aadhaar and Law Enforcement – A Deadly Cocktail Is in the Making - The Wire



Why does the National Crime Records Bureau want to amend the Aadhaar Act?


UIDAI CEO has asked schools not to deny admission to students who do not have Aadhaar cards. Illustration by The Wire













16/AUG/2018

In June 2018, the National Crime Records Bureau (NCRB) sparked public outrage when its director Ish Kumar made a strong pitch for giving India’s police “limited access” to Aadhaar data for the purposes of investigating crime and tracing unidentified bodies.

This request, reportedly widely, was predictably met with a swift public denial by the Aadhaar authority, with the Unique Identification Authority of India (UIDAI) stating that Aadhaar data had never been shared with any crime investigating agency.

How credible is this denial, though? After all, there is evidence from as far back as 2013, before the enactment of the Aadhaar Act, to show that the police already had limited access to the Aadhaar database (often through court orders) and that the UIDAI had helped state police on a number of occasions.
In the last two years, there is more recent evidence to show how police departments across the country want to use Aadhaar. But before we get to that, it is important to understand why NCRB wants to access the Aadhaar database and how it would be able to do so.

Why does the NCRB need the UIDAI’s fingerprints?
India’s central fingerprint bureau is the nodal agency for setting standards, tools and processes for the collection, storage and analysis for fingerprints.

As fingerprint matching is considered crucial for nabbing repeat-offenders, standardisation of fingerprint images and allowing officials to search through them using an automated fingerprint identity system (AFIS) is important. The bureau’s 2015 report traces the trend towards automated searches and less reliance on manual processes. As of 2015, it holds 28 lakh fingerprints of arrested and convicted persons. 

What bothers the NCRB the most, however, are first-time offenders because their fingerprints are not available in the AFIS. This is where the UIDAI comes in, because these fingerprints are very likely to be available in the Aadhaar database, considering how big it is.

NCRB’s Ish Kumar explains it the best:

“There is need for access to Aadhaar data to police for the purpose of investigation. This is essential because 80% to 85% of the criminals every year are first-time offenders with no records [of them available] with the police. But they also leave their fingerprints while committing crime. There is need for limited access to Aadhaar, so that we can catch them.”
How would this work though? From the NCRB’s point of view, access to biometric data available in the Aadhaar database through a simultaneous search will likely work as shown in the diagram below.


For this type of simultaneous search to work seamlessly, the fingerprint capture image formats must match with the stored image formats and must be standardised across both organisations.

This was done by NCRB in 2013 and were published as shown below:

Biometric captured
Explanation
Standard used
Finger image
The raw image of the fingerprints
ISO/IEC 19794-4
Minutiae images
The patterns in every fingerprint that is used for comparison
ISO/IEC 19794-2
Mug shots
Facial photographs used
ITL – 1- 2011 (JPEG)


Crucially, the UIDAI has also used these same standards from its inception (Page 15, Section 9) for finger and minutiae images. The standardisation thus allows fingerprint capture by all existing devices used in Aadhaar authentication and enrollment.

Two types of search
The NCRB’s fingerprint bureau holds annual conferences, which almost always have discussions on Aadhaar because of the sheer possibilities that a potential integration would offer. 
With the imminent roll out of facial authentication by UIDAI, and the presence of a large fingerprint database, NCRB believes, in theory at least, that it can tap into the Aadhaar database in order to identify potential suspects (their demographic details and Aadhaar number) if they have latent fingerprints and CCTV mugshots of the perpetrators.
The process by which law enforcement searches for a list of potential suspects is usually referred to as a ‘1:N search’, meaning given a mugshot and fingerprint, the system could provide many potential suspects and their Aadhaar numbers.
These Aadhaar numbers can then be used to query various databases to obtain a detailed profile of the potential suspects, which can then be used to further narrow down potential suspects (often referred to as ‘1:1 search’).



The NCRB’s interest to “limited access” to the Aadhaar database can be understood from the minutes of meeting available from each of its annual conferences.
  • The 15th conference on 2013, was attended by the UIDAI deputy director general Ashok Dalwai, in which it was told that “UIDAI would eventually converge with the police department over time”.
  • The 16th conference on 2014 requested access to UIDAI database for identification of dead bodies.
  • The 17th conference (2015) requested amendments to the Identification of Prisoner Act, 1920 to add other biometrics. It reiterated the request to access UIDAI database for identification of dead bodies and also made the crucial observation that the removal of non-convicts post their acquittal from the fingerprint database must be prioritised.
  • The 18th conference (2017) reiterated the amendment to the Identification of Prisoner Act and said, “Aadhaar may be linked to identify dead bodies”.
  • The 19th conference, (2018) discussed the need to amend the Aadhaar Act and the Prisoner Act for “identifying first time offenders and also for identifying dead bodies”.
The 1:1 search
India’s state police departments do not have to depend upon the UIDAI at all when it comes 1:1 search. There are already various state and central databases which are seeded with Aadhaar numbers. Hence once the suspect’s Aadhaar number is known, the local enforcement agencies can simply ask the various public entities that own or operate these numerous databases to provide them with the required information.
For instance, India’s state police can merely ask local banks to provide all information associated with a particular Aadhaar number, including linked phone numbers. 
This is how seeding Aadhaar numbers into various databases, referred to as “cross-seeding”, makes it easier to create 360-degree profiles, that are available on request for the law enforcement agencies without even needing a warrant.
Hidden backdoors for 1:1 search already exist
In October 30, 2017, the Times of India reported that a missing woman was identified from her half charred body using Aadhaar.
How could the police identify the woman from just a fingerprint? The back-door that allows this functionality is the “name/UID search” feature, which allows printing of an Aadhaar card, for those who have misplaced their Aadhaar number, using their fingerprints.
It is also obvious that a “fingerprint mould” was used by the police, since the woman was already dead. To know the identity of the missing woman, the police department obtained the names of all missing persons as reported in the district, during a specific time. It then used the “name search” feature along with their fingerprint mould to print their e-Aadhaar.


Screenshot of name/UIDAI feature. Credit: The Wire
Automating the 1:1 search

The southern state of Andhra Pradesh, has already created a vast fully interlinked resident database that has merged the crime and civilian aspects.

For instance the local state hub, has information about all its residents, the GPS coordinates of their homes, medicines they use, food rations they eat, what they say about their chief minister on their social media accounts, their caste, bank accounts on which they receive scholarships, pensions and their Aadhaar numbers.

This design allows the state police or any state official to know everything about an Aadhaar number holder by just typing their Aadhaar numbers.

A very similar exercise is under progress in the state of Telangana. The state hub hosts both the crime data and the Aadhaar data of the residents in one single entity called “Integrated Information Hub” and is also managed by the Hyderabad police.

Since the state police runs the state data hub, it also allows them full unlimited access to all the schemes that every family is enrolled into, along with access to authentication logs, thereby allowing real time tracking of the population, if need arises.

Telangana also offers an ongoing lesson on how a civil database (Aadhaar) and a crime database (used by NCRB and the various states) can converge. For instance, not only are the Aadhaar numbers of drunken drivers were seeded into the crime database, their family members’ Aadhaar numbers were also seeded.

Even those who are acquitted would continue to reside in the crime databases, and would be forced to share their Aadhaar numbers and their biometrics and also their family members’ details, until the courts directs them to stop doing so.

Purpose limitation is futile after a certain scale
Media reports over the last two years also indicate that the various crime databases maintained by the state and central bureaus are being cross-seeded with Aadhaar numbers and demographics, thereby converging the civilian and the crime database via a staged approach as described below:
The cross-seeding of Aadhaar numbers with digital police systems such as the CCTNS (crime and criminal tracking network system) was something shunned by the initial team behind the biometric authentication programme.

“Nandan [Nilekani] told us that if they allowed us to do it, the people would never trust Aadhaar,” a former director-general of prisons of a large north Indian state told The Wire.

And yet, an early version of the software behind the Integrated Criminal Justice System (ICJS) – a programme that seeks to link the police’s criminal tracking system (CCTNS) with the digital information-technology systems for India’s courts and prisons – shows that Aadhaar was meant to serve as a crucial component of the overall ecosystem.



A screenshot of an initial version of how ICJS would look. Credit: The Wire
The image above is from 2016, showing that the NCRB, which implements the CCTNS and ICJS projects, had hoped to have the Aadhaar Act amended by now.

Parsing the UIDAI’s denial
The UIDAI in its denial asserted that “use of Aadhaar biometric data for criminal investigation is not allowed under the Aadhaar Act” and quoted Section 29 of the Aadhaar Act as corroboration.
The denial thus is limited to access to the biometric data (1:N search) and does not cover other cases like automated 1:1 access or request-based access to other entities. Furthermore, it also does not explicitly deny the creation of parallel biometric databases.

For instance, both the Hyderabad police (Entry 105) and the Chandigarh police (Entry 125) are on the list of Authentication User Agencies (AUA) and KYC User agencies (KUA) AUAs and KUAs are entities that are given access to the central Aadhaar database (CIDR) for authenticating Aadhaar holders.
This KUA access is sufficient for the police of both states to forcefully authenticate any arrestees to obtain their demographic information from the Aadhaar database.

Once KYC authentication fetches the demographic information, the police can use the Identification of Prisoners act, 1920 to obtain their fingerprints in the same standardised form used by the UIDAI to create a parallel database which mirrors the CIDR. The only catch is that unless the Aadhar Act is amended, the police cannot legally store other biometric parameters such as IRIS scans and vein prints. This is why successive NCRB conferences have recommended amending the Aadhaar Act.
UIDAI’s denial might look like a principled opposition, but it is also a reflexive mechanism to ensure that NCRB or other agencies don’t catch onto the fact that there are serious quality issues that plague the Aadhaar biometric database. For instance, biometric mixups affect (officially) nearly 2 crore Aadhaar holders and while the image formats are compatible, the minimum quality of capture for Aadhaar is a mere 52%.

Parallel biometric datbases
While Section 29 of the Aadhaar Act only deals with sharing of biometrics, it does allow limited access to the demographic data by allowing police to become KUA/AUAs and through other means.

The limited access to demographic data also allows the state police to build their own parallel fingerprint databases – something that is currently happening in at least three states. What’s worse is that entries are typically not deleted, as mandated by the Identification of Prisoner act, if an arrestee is acquitted later.

This allows convergence of the crime and civilian databases, as indicated by the-then deputy director general of the UIDAI, Ashok Dalwai, way back in 2013, leading to the implication that this had always been the original design.

A vast database that allows other entities (including states) to build their own parallel (and bigger) databases with parallel biometrics, by design, is exactly the architecture that an all encompassing surveillance state would need. Such an architecture makes the legal construct of “consent and purpose limitation”, as enunciated by the nine-judge privacy bench, impractical and unimplementable by design.

This is why the Srikrishna committee, while recommending amendments to the Act, has kept Aadhaar out of the purview of the proposed data protection bill. 

The typical response of the Supreme Court is to issue guidelines that needs to be followed by the state (PUCL vs Union of India, 1996), when it encounters complex questions, such as balancing the right to privacy and the requirements of law enforcement agencies.

But what if such an approach would meet nothing but failure, because the architecture of the project is designed to make guidelines based on “consent and purpose limitation” irrelevant?
While the software revolution sweeps by and eats the world, will it also end up eating the law and weaken constitutional rights? With the Supreme Court set to rule on the Aadhaar case, we will know soon enough.


(With inputs from Anuj Srivas)