Tuesday, 28 November 2017

Aadhaar makes citizens more vulnerable

Last year Delhi Police busted an ISI spy ring and found that Mehmood Akhtar had an Aadhaar card naming him as Mehboob Rajput. In May this year, the Central Crime Branch found that three Pakistanis had obtained Aadhaar cards in Bengaluru through a middleman for Rs 100 each. More recently, Zeebo Asalina, an Uzbek national arrested in Orissa, had an Aadhaar card naming her as Duniya Khan.
  • The perception that security agencies may have a better chance of nabbing potential terrorists if all mobile connections are verified using Aadhaar is flawed. Since Aadhaar cards were based on forged documents and UIDAI does not conduct any verification by itself, it retains the flaws of these documents and is not ‘fraud-resistant’. In fact, once they have Aadhaar, things may get easier for potential terrorists, given the incorrect perception that it is foolproof.
  • Paper IDs are not good for privacy since they can be reused for other purposes. But Aadhaar is worse, because once data is shared with hundreds of third parties, it is no longer secure. 
  • Electronic KYC is cheaper for telecom operators and banks, it is costlier for citizens. The cost of the loss of personal information is much higher than the benefit of collecting it. UIDAI has no control once data leaves its system via eKYC, which has a tick-box approach to consent and no checks thereafter.
  • The risk of personal information leaks increases with more services getting linked to Aadhaar due to security vulnerabilities, or sheer incompetence of the government or third parties.
  • Disclosure of Aadhaar numbers is illegal as per Section 29 (4) of the Aadhaar Act.
  • Whereas RTI Act makes it mandatory for every public authority to publish the manner of execution of subsidy programmes, including the amounts allocated and the details of beneficiaries of such programmes. This is conflict with Aadhaar Act.
  • Biometrics are the least secure form of authentication. They can be cloned from photographs, and you leave fingerprints on every glass of water you pick up.
  • Estonia had to suspend its digital ID cards due to cybersecurity related vulnerabilities. Spain is facing similar issues. 
  • The government’s cavalier attitude towards privacy that privacy cannot be at the cost of innovation indicates its willingness to put citizens’ personal safety at risk: that your privacy is a price that GoI is willing to pay for making it easier for businesses to be built around your data.
  • Data for millions of people has already been compromised by the government, the allegation that critics are “alarmists” and “motivated” is a tactic to divert attention from badly designed architecture, execution mistakes, security failures and the yet-to be-addressed risks.
  • While there are some benefits that might accrue from customisation of thousands of services that might otherwise not have had your data, a government that forcibly takes sensitive and personal information from you, and a court that has allowed this to happen despite appeals to stop it, has acted against you and 1.3 billion others.
  • All your data, linked to a single ID and accessible to the government under unspecified ‘national security’ considerations, without sufficient checks and balances and judicial oversight, is also dangerous in the hands of a future government that might look to retain power by any means necessary. 
  • Mass surveillance for which Aadhaar is an enabler, is an unnecessary and disproportionate infringement of rights, and dangerous for democracy. 
  • With Aadhaar numbers littered all over the web, anyone can create a dossier of personal information by finding and joining datasets bases with the Aadhaar number and hence stating that Aadhaar is not a secret or confidential number is misleading and dangerous.
  • Publishing a person’s caste, Aadhaar number, or mobile number or emailids is an unwarranted invasion of the privacy of the individual and serves no public interest but the leaked info can also cause financial loss. It opens doors for fraudsters to perform attacks on unsuspecting individuals.
  • Publishing of last four digits of Aadhaar number only might not satisfy the provisions of both RTI and the Aadhaar Acts. Publishing Aadhaar number, full or partial, on the open web will put too many unsuspecting people at risk. It’s illegal for UIDAI to pass the buck and act innocent about data leaks. It needs to get across to users of Aadhaar data to follow the law or be held responsible.
  • Instead of blaming the transparency requirements of the RTI, UIDAI must be pressurised to enforce its agreements with its partners. Whether you call it a data leak or not, doesn’t reduce the harm done if the authorities continue to publish Aadhaar details on the open web.

Government can't make citizens safer by making them more vulnerable.

The issue is not about Aadhaar as a tool in identification, but of linking it with everything under the sun is gross violation of privacy by government. While linking Aadhaar as remedy to plug leakages of government subsidies is well taken but forcefully linking it to all IDs is as imprudent as having one password for all your transactions which exponentially increases vulnerability. There would be little remedy to assaults by fraudsters on systems that are indiscriminately cross-linked. In the absence of robust data security environment, stringent privacy laws and meticulous penal agreements for any kind of data leakage or misusing, Government has no business to make Aadhaar linking mandatory to all citizen IDs and exposing them to security threats and unknown & unmitigated financial losses.

No comments:

Post a Comment