Unmasking Aadhaar

The mindless, mandatory biometric linkage of Aadhaar numbers to every aspect of our lives -- from birth to death, telephones and bank accounts -- is causing widespread harassment. The hype that biometric identification was a gift to citizens and a world-beating technological leap is a fallacy. People who are wary about the risks involved in Aadhaar linkages has now risen dramatically, with details of its fallibility being widely reported. But the continued coercive tactics by service providers and regulators indicate that the UIDAI and the government are in no mood to listen.

• (1) There is growing evidence of how inefficient biometric identification in Aadhaar is. 
• (2) Aadhaar is not merely about acquiring an identification number; there will be a cost/fee involved in every authentication and updation. The government has maintained a stunning silence on the cost of updation and other mandatory services.
• (3) Most people are realizing that biometrics change over a lifetime. This means that Aadhaar authentication can fail anytime and would need frequent updating especially for senior citizens. If you find it frustrating to update bank KYC information, get prepared for perpetual harassment when ever your biometrics let you down.
• Aadhaar is a nightmare for vulnerable, less-literate people and disempowering for senior citizens who will need to rely on Aadhaar kendras or bank officials for updation.
• UIDAI appoints enrollers and mandates linkages, but provides no recourse to those who are cheated by agents. If you are a victim, you will end up fighting a legal battle or chasing the police for redress.
• The effort involved in the Aadhaar updation exercise will make us even more reluctant to change service-providers and put up with shoddy service. This makes a mockery of competition and choice in a free market.
• IDRBT, a subsidiary of the RBI, has called for caution in use of Aadhaar for government programmes, based on a study of its implementation in AP. It says that it is also unclear if, in the long run, the benefits of Aadhaar will outweigh the negatives.
• On Dec 1,2017, Premani Kunwar, a 64-year old widow died of starvation. Her Aadhaar-linked bank account was manipulated to fraudulently transfer her old-age pension into the account of her husband's first wife. Denied income and rations, she slowly starved. Shockingly, the first wife had a valid bank account with updated KYC (presumably Aadhaar-linked) to which funds were transferred, even 25 years after her death. The case reeks of collusion between bank officials and a stepson, who has been arrested, and exposes the easy manipulation of records and its devastating impact on the very poor.
• Ravindra, a 64-year-old central government officer, who, harried by repeated failure of Aadhaar authentication, wrote, "I am desperate and sometimes start thinking of ending of my life." Writing to the UIDAI was of no use. Instead, he received gratuitous advice to procure a phone in his son's name, thereby defeating the purpose of linkage, disempowering the senior citizen and placing a needless burden on his son.
• Neither the government nor the UIDAI has bothered to respond to thousands of such senior citizens complaints on the National Consumer Complaints Forum.
• What is worse, a government that is in the habit of repeatedly changing its goalposts is not called upon to explain its claim that it will help unearth black money.
• UIDAI's response to criticism has been to browbeat and silence critics. When The Tribune exposed its vulnerability by gaining access to the UIDAI database (not biometrics) by paying just Rs 500 to an intermediary, it reacted by filing a police report. When this led to a media uproar, the government back-pedalled quickly.
• The UIDAI has also announced the introduction of 16-digit virtual ID and facial recognition for better security, and to address the issue of failed authentication for citizens. In case the apex court does not grant relief to the petitioners, we are all in for rough times, while the UIDAI experiments with new technologies whose cost, efficacy and availability across the country are unknown.

Read the source article

The reckless linking of Aadhaar with all services and transactions undermines citizen's privacy rights and is unacceptable in a democracy especially without any robust privacy laws and misuse recourse obligations. This falls short of a 'surveillance state' where all citizens must prove their credentials for each and every transaction they may make just for administrative convenience of irresponsible bureaucracy and for luxurious spending by political classes. This must not be allowed. Aadhaar must be confined to providing unique ID card and for efficient distribution of government subsidies and benefits only. Noting more and nothing less. Biometric verification should always be voluntary and never mandatory for all citizens, except for criminals.

Aadhaar benefits unclear

The benefits of Aadhaar, India’s biometrics-based unique national identity system, are unclear and the impact of direct benefit transfers it will be used to deliver to the poor is not studied enough, as per a new study paper published by Institute for Development and Research in Banking Technology (IDRBT), an autonomous institute established by the RBI. 

• In the seven years following its introduction, 1.12 billion Indians or 88.2% of the population have enrolled for Aadhaar.
• Established by UIDAI under Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, Aadhaar is now used for direct benefit transfers as well as distribution of food grains and essential commodities under the PDS by the state. It includes various payments linked through Aadhaar enabled payment system.
• There are issues related to Aadhaar such as last mile access problems, quality of authentication, unclear financial benefits and security concerns and said there needs to be caution in the manner in which the government is linking more economic activities with Aadhaar.
• Aadhaar has been caught in the issue of the citizen’s right to privacy and threat of information leak. The story reported in The Tribune on January 3, 2018 alleged that unrestricted access to details of over one billion Aadhaar numbers can be purchased at as little as Rs 500.
•  “It is a major security breach,” the deputy director of UIDAI, Chandigarh was quoted to have said.
• The protection of the data is a major concern for the UIDAI. For the first time in the history of India, there is now a readily available single target for cyber criminals as well as India’s external enemies. Any attack on UIDAI data can cripple Indian businesses and administration and would result in a huge loss to the country’s economy and the privacy of its citizens.
• Aadhaar is available in the database of a large number of service providers and any breach can compromise the information contained in it. This allows private players to build an ecosystem, i.e. services and applications around Aadhaar raises questions about the security of the database.
• In Dec 2017, it was found that Airtel used the Aadhaar based verification to open payment bank accounts of their customers without their consent and linked to receive LPG subsidy. No action was taken by the UIDAI for the violation of the Aadhaar Bill except barring Bharti Airtel and Airtel Payment Bank from opening new accounts. 
• More robust and comprehensive law is necessary on the use and misuse of the massive amount of data being generated and collected.
• Financial inclusion was one of the goals Aadhaar since inception, but a biometric solution tends to be long on promise and short on delivery.
• The growing emphasis on the use of Aadhaar as a compulsory ‘know your customer’ (KYC) norm is emerging as an obstacle in banking access for those who had registered with the earlier systems. Banks have blocked access to those who have not submitted their Aadhaar numbers. In the case of accounts closed by banks due to non-linking with Aadhaar, money has returned to government agencies. The customer then has to open a new bank account in another bank and then run to various government offices to change their bank account number registered under the scheme.
• Problems with withdrawal of money at a time when it is needed the most either due to non-working channels or problems with KYC compliance has convinced people that the best place for their money is their pocket or at home under the mattress.
• Customers of zero balance accounts opened for individuals are not allowed access to their accounts from non-home branches, but regular accounts are.
• Government claims that it has saved about Rs 14,672 crore using Aadhaar through DBT schemes for 2015-16. But a Canadian non-profit, International Institute of Sustainable Development, has claimed that the saved amount was Rs.120 crores only. 
• Does the change in the system of subsidy delivery from providing commodities and services to cash transfers actually benefit the poor? There are no clear answers. 
• It may inconvenience public distribution system beneficiaries and “the long-term benefits of DBT on the poor are as yet largely unstudied and most of the expectations are based on theoretical assumptions”.
• The Aadhaar Act allows the government to establish the citizen’s identity as a condition for the delivery of subsidies, benefits or services. Biometric authentication allows the government to reach genuine beneficiaries. But for this, the biometric authentication system has to be flawless which is not the case in India currently. Failures in biometric authentication is alarmingly high.
• Aadhaar allows a beneficiary to access benefits like PDS in any location irrespective of where he is registered. Authentications and failures were found to be the highest when a large number of people–migrants and non-migrants were present in the village. 
• These flaws in the biometric system raised the question if a government can provide benefits to citizens irrespective of where his/her Aadhaar was registered.
• There is no way of cross verifying the quality of biometrics stored, especially by the person who has enrolled. In a worst case scenario, a flawed biometric authentication system can lead to identity denials.
• Even assuming that only 5% of Indians are denied government benefits due to issues with Aadhaar, we are still looking at 50 million citizens. That is more than population of many European countries. 
• Does it mean this exclusion of a small minority is condonable in a democratic society?

Read the source article

It is clear that no studies were conducted about the feasibility, benefits and procedure to be followed for linking Aadhaar with all public economic activities. What ever came into the stupid minds of rulers and their assistants is being implemented subjecting crores of people to hardships and exposing them to unknown risks. Who wants all his transactions to be trackable either for tax payment purpose or as a matter of individual privacy? In any case Govt publicizing lies as a justification for its hare brained activities is unacceptable nonsense.

Aadhaar data insecure

  

The Tribune dated Jan 4, 2018

Read the source article

Aadhaar data and its insecurity and absence of robust privacy protection laws, linking Aadhaar to all bank accounts etc can become catastrophe. Government has no right to expose citizens and their money to risks of losing.

Aadhaar linking should be restricted only to Government welfare schemes & subsidies and at the worst to mobile phones. Nothing more than that. Individual financial data must never be accessible to unauthorized entities under any circumstances.

Even though UIDAI assures Aadhaar data is fully safe, it is not really safe as glitches exist and not fool proof. Robust privacy laws must restrict individual data and unbridled access to database. Especially banks and financial institutional data accessing by unauthorized parties must be eliminated. Any financial loss arising out of unauthorised accessing of data must be borne by UIDAI/GoI/Bank only and customer must not be subjected to any loss or inconvenience.

Aadhaar makes citizens more vulnerable

Last year Delhi Police busted an ISI spy ring and found that Mehmood Akhtar had an Aadhaar card naming him as Mehboob Rajput. In May this year, the Central Crime Branch found that three Pakistanis had obtained Aadhaar cards in Bengaluru through a middleman for Rs 100 each. More recently, Zeebo Asalina, an Uzbek national arrested in Orissa, had an Aadhaar card naming her as Duniya Khan.

• The perception that security agencies may have a better chance of nabbing potential terrorists if all mobile connections are verified using Aadhaar is flawed. Since Aadhaar cards were based on forged documents and UIDAI does not conduct any verification by itself, it retains the flaws of these documents and is not ‘fraud-resistant’. In fact, once they have Aadhaar, things may get easier for potential terrorists, given the incorrect perception that it is foolproof.
• Paper IDs are not good for privacy since they can be reused for other purposes. But Aadhaar is worse, because once data is shared with hundreds of third parties, it is no longer secure. 
• Electronic KYC is cheaper for telecom operators and banks, it is costlier for citizens. The cost of the loss of personal information is much higher than the benefit of collecting it. UIDAI has no control once data leaves its system via eKYC, which has a tick-box approach to consent and no checks thereafter.
• The risk of personal information leaks increases with more services getting linked to Aadhaar due to security vulnerabilities, or sheer incompetence of the government or third parties.
• Disclosure of Aadhaar numbers is illegal as per Section 29 (4) of the Aadhaar Act.
• Whereas RTI Act makes it mandatory for every public authority to publish the manner of execution of subsidy programmes, including the amounts allocated and the details of beneficiaries of such programmes. This is conflict with Aadhaar Act.
• Biometrics are the least secure form of authentication. They can be cloned from photographs, and you leave fingerprints on every glass of water you pick up.
• Estonia had to suspend its digital ID cards due to cybersecurity related vulnerabilities. Spain is facing similar issues. 
• The government’s cavalier attitude towards privacy that privacy cannot be at the cost of innovation indicates its willingness to put citizens’ personal safety at risk: that your privacy is a price that GoI is willing to pay for making it easier for businesses to be built around your data.
• Data for millions of people has already been compromised by the government, the allegation that critics are “alarmists” and “motivated” is a tactic to divert attention from badly designed architecture, execution mistakes, security failures and the yet-to be-addressed risks.
• While there are some benefits that might accrue from customisation of thousands of services that might otherwise not have had your data, a government that forcibly takes sensitive and personal information from you, and a court that has allowed this to happen despite appeals to stop it, has acted against you and 1.3 billion others.
• All your data, linked to a single ID and accessible to the government under unspecified ‘national security’ considerations, without sufficient checks and balances and judicial oversight, is also dangerous in the hands of a future government that might look to retain power by any means necessary. 
• Mass surveillance for which Aadhaar is an enabler, is an unnecessary and disproportionate infringement of rights, and dangerous for democracy. 
• With Aadhaar numbers littered all over the web, anyone can create a dossier of personal information by finding and joining datasets bases with the Aadhaar number and hence stating that Aadhaar is not a secret or confidential number is misleading and dangerous.
• Publishing a person’s caste, Aadhaar number, or mobile number or emailids is an unwarranted invasion of the privacy of the individual and serves no public interest but the leaked info can also cause financial loss. It opens doors for fraudsters to perform attacks on unsuspecting individuals.
• Publishing of last four digits of Aadhaar number only might not satisfy the provisions of both RTI and the Aadhaar Acts. Publishing Aadhaar number, full or partial, on the open web will put too many unsuspecting people at risk. It’s illegal for UIDAI to pass the buck and act innocent about data leaks. It needs to get across to users of Aadhaar data to follow the law or be held responsible.
• Instead of blaming the transparency requirements of the RTI, UIDAI must be pressurised to enforce its agreements with its partners. Whether you call it a data leak or not, doesn’t reduce the harm done if the authorities continue to publish Aadhaar details on the open web.

Government can't make citizens safer by making them more vulnerable.

The issue is not about Aadhaar as a tool in identification, but of linking it with everything under the sun is gross violation of privacy by government. While linking Aadhaar as remedy to plug leakages of government subsidies is well taken but forcefully linking it to all IDs is as imprudent as having one password for all your transactions which exponentially increases vulnerability. There would be little remedy to assaults by fraudsters on systems that are indiscriminately cross-linked. In the absence of robust data security environment, stringent privacy laws and meticulous penal agreements for any kind of data leakage or misusing, Government has no business to make Aadhaar linking mandatory to all citizen IDs and exposing them to security threats and unknown & unmitigated financial losses.