The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Saturday, March 17, 2018

12991 - Aadhaar, smart cards yet to dent PDS drawal - The Hindu

, MARCH 15, 2018 01:03 IST

The government expects to see a steep fall in the coming months as system is streamlined

The attempt to regulate the quantum of rice drawn by beneficiaries of the Public Distribution System (PDS) has not met with much success. Neither Aadhaar seeding of ration cards nor the introduction of ‘smart cards’, which were supposed to remedy this situation, helped.

In February 2017, the quantity of rice offtake was little less than 3.23 lakh tonnes. A year later, it came down by 6,000 tonnes to around 3.17 lakh tonnes.

Between April 2017 and February 2018, the quantity of rice drawn was about 35 lakh tonnes, barely 1.75 lakh tonnes short of the annual allotment assured to Tamil Nadu under the National Food Security Act (NFSA). Every month, the State requires around 3.2 lakh tonnes.
Steep rise checked

In 2016 and 2017, the Aadhaar seeding and the distribution of smart cards were carried out vigorously.
Out of 6.6 crore Aadhaar allottees in the State, 6.3 crore have been covered.
Out of the 1,94,58,897 conventional cards in vogue in the State, smart cards were given to all but 34,975 persons.
A senior official of the department is, however, quick to point out that with the net increase of four lakh cards in the last one year and enhanced entitlements being provided to the beneficiaries over and above what has been prescribed by the NFSA, the drawal of rice would have been much higher than the present level but for the measures taken by the department.
Also, if one were to consider the figures of drawal by the PDS beneficiaries in December 2017 and February 2018, the reduction is quite perceptible at around 13,000 tonnes.
“It is only since February that we started insisting on the production of smart cards at the time of getting the provisions from fair price shops. We hope to see a further fall in the rice drawal in the coming months,” the official says.
Fingerprint data
Another measure being planned by the department is to collect fingerprint data from the beneficiaries.
It will take about four months to install machines at the fair price shops. The department hopes that after the implementation of this step, the fall in the rice drawal will be steeper.
The government is keen on bringing down the quantum of drawal given the ₹1,000 crore annual expenditure it incurs in meeting the gap between the requirement and the allotment.

On an average, 25,000 tonnes are purchased every month over and above the NFSA allotment.

12990 - Aadhaar Hearing [Day 18] Anand Grover Raises Concern Over Leak Of Sensitive Bio-metric & Demographic Data, De-Duplication Errors - Live Law

BY: MEHAL JAIN MARCH 15, 2018 8:40 PM 159 SHARES FacebookTwitterWhatsAppLinkedInMore Change ...

Read more at: http://www.livelaw.in/aadhaar-hearing-day-18-anand-grover-raises-concern-leak-sensitive-biometric-demographic-data-de-duplication-errors-read-written-submissions/

12989 - Aadhaar hearing: Section 7 exception in Supreme Court’s interim order greatly affects people’s constitutional rights - First Post

Aadhaar hearing: Section 7 exception in Supreme Court’s interim order greatly affects people’s constitutional rights

India Asheeta Regidi Mar 14, 2018 14:28:08 IST

The Supreme Court, in yesterday’s hearings, issued interim orders extending the deadlines for Aadhaar based linking until the disposal of the case. However, it drew an exception for the deadlines for subsidies, benefits, etc. under Section 7 of the Aadhaar Act. Thus, for receiving these subsidies, etc. people will have to acquire an Aadhaar card before 31 March, 2018. The result is that for a large and very vulnerable section of society, Aadhaar has been made mandatory.

This has a significant impact on their constitutional rights, in particular, their right to life and liberty, even before the Supreme Court has passed its final verdict on the matter.

Representational image. AFP
The Section 7 exception
Section 7 of the Aadhaar Act deals with the production of an Aadhaar number/ enrolment ID, or undergoing Aadhaar based authentication to receive benefits, subsidies, etc. under Section 7. This has led to several notifications being issued under Section 7, such as those for the beneficiaries of the mid-day meal schemes, the Atal Pension Yojana or for the Cash Transfer of Food Subsidy under the National Food Security Act. These include several services which are essential for the survival of the very vulnerable sections of society, whether it is the mid-day meals for school children, pensions for the old, food subsidies for the poor, stipends for teachers, scholarships for Adivasis, and so on.
Most of these notifications contain the following, standard instructions:
i) Eligible beneficiaries should furnish proof of Aadhaar / undergo Aadhaar authentication.
ii) Those who have not yet enrolled for Aadhaar are to enroll for Aadhaar by the prescribed deadlines.
iii) Arrangements shall be made for enrolling in Aadhaar.
The impact of the interim order (summarised at the end of this article) is that the last prescribed deadline for enrolling in Aadhaar for receipt of these subsidies, which was 31 March, 2018, will not be extended. After this date, people who don’t have an Aadhaar card will not be able to avail of their benefits or subsidies.
Section 7 is, in effect, upheld
The result of this is that the Supreme Court has, in effect, upheld the validity of Section 7 of the Aadhaar Act, to the extent that it mandates the use of Aadhaar for receipt of subsidies and benefits. Even though this is an interim order and not a final verdict, the repeated extension of deadlines through various interim orders was done in order to avoid a fait accompli. This purpose will be defeated if a large section of society is forced to adhere to these notifications before the outcome of the case.
Section 7 could violate numerous key constitutional rights
The importance of waiting for the outcome of the case before mandating Aadhaar is in view of the numerous violations of constitutional rights that could be happening due to Aadhaar. The validity of Section 7, in particular, is a very crucial issue being debated in the Aadhaar case.
The most obvious argument is on the exclusion caused as a result of mandatory Aadhaar. This is first, due to the probabilistic and inaccurate nature of biometric authentication, and second, because people cannot provide an alternate identity document under this Section. The Supreme Court itself had observed that this exclusion could be a violation of the right to equality under the Constitution. The violation of the right to life and liberty due to this exclusion is an even more crucial issue.
The large-scale violation of privacy, be it through the collection of biometrics or of metadata, is yet another issue. The effect on a person’s constitutional right to dignity is also an issue, in terms of treating an entire population to be impersonators merely due to their lack of an Aadhaar card or the failure to successfully authenticate via Aadhaar.

Schoolgirls collect their free mid-day meal, distributed by a government-run primary school, in New Delhi. Image: Reuters

The order is a huge disappointment for those facing issues with Aadhaar
Each of these arguments in effect fails if, by 31 March, a large number of people are forced to rely on Aadhaar, regardless of whether or not it violates their constitutional rights (since the Supreme Court is yet to rule on this).
The current order, thus, comes as a huge disappointment to those hoping for relief from their issues with Aadhaar. For those facing authentication and other issues with Aadhaar, the only option will be to rely on the UIDAI’s exception handling mechanisms. Given the extent of exclusion that is being reported, it is unclear to what extent these mechanisms have actually been implemented or are effective in solving people’s issues.
In addition, it is unclear if the exception handling mechanisms accommodate people who choose not to have Aadhaar. Until the Supreme Court rules on this, the people do have a right to choose not to enroll for Aadhaar. The current order, however, in effect takes away this right for a large section of society.

Linking under these Sections
Note that many of these notifications under Section 7 do not deal with linking, meaning that their cards or accounts pertaining to the schemes will not be invalidated. Their right to obtain benefits, however, will definitely be affected.
Where notifications have been issued under Section 7 specifically for such linking, the accounts will be invalidated as well. Aadhaar linking has been prescribed for certain schemes such as MGNREGA and for PRAN cards. However, it is unclear under which law these are prescribed and subject to what deadlines. Where they are prescribed under Section 7, however, these accounts risk being invalidated after 31 March. This is yet another risk to constitutional rights that a large section of people can face before the pronouncement of the final verdict.

The Supreme Court should reconsider its order
There are serious questions of privacy breaches as well as violation of constitutional rights to be decided in this case. It was taking the seriousness of these questions into account that the 2015 order of the Supreme Court, the first interim order, had restricted Aadhaar to six specified schemes only. It is hoped that the Supreme Court will reconsider the exception it has drawn out for subsidies, etc., under Section 7. The use of a system which (possibly) violates people’s constitutional rights should not be made mandatory before the Court decides on its constitutionality.

A man goes through the process of eye scanning for Unique Identification (UID) database system. Reuters

Summary of the SC’s interim order
The Supreme Court’s order has essentially extended the interim order of 15 December, 2017 until the disposal of the case and the pronouncement of the final judgment. The effect of the Supreme Court’s order is that the deadlines for Aadhaar linkages have been so extended:
i) For all schemes of Central and State government ministries or departments (with the exception of those under Section 7, discussed above).
ii) For all existing bank accounts.
iii) For new bank accounts: Linking can be completed by the extended deadline, but either Aadhaar card or proof of enrolment with Aadhaar must mandatorily be furnished with the application for the new account.
iv) For e-KYC for mobile phone linkages.
v) For linking with PAN: Aadhaar-PAN linkages continue to be governed by the Binoy Viswam judgment, i.e., those who do not have an Aadhaar need not link their PAN cards, but those who do need to link it by the extended deadline.
In addition, the Supreme Court issued two new directions:
vi) This order will also govern the Passport (1st Amendment) Rules, 2018. These rules say that an Aadhaar card must be produced to apply for a tatkal passport. Now, as per the Supreme Court’s order, an Aadhaar card will not be required for applying for a tatkal passport until the disposal of this case. The rules do not mention Aadhaar linking, nor do they contain any deadline for acquiring an Aadhaar number.
vii) For schemes for which notifications have been issued under Section 7 of the Aadhaar Act, whether for Aadhaar based authentication for receipt of the scheme or for Aadhaar linking or seeding, the deadline of 31 March for enrolling in Aadhaar has been retained. Persons failing to provide an Aadhaar number/ enrolment number will not be entitled to receive benefits after 31 March.

The author is lawyer and author specialising in technology laws. She is also a certified privacy professional.
Read our past coverage of the on-going Aadhaar Supreme court hearing:

Published Date: Mar 14, 2018 14:23 PM | Updated Date: Mar 14, 2018 14:28 PM

12988 - Aadhaar hearing: Entire Aadhaar project is beyond the stated objectives of Aadhaar Act, argue petitioners - First Post

Aadhaar hearing: Entire Aadhaar project is beyond the stated objectives of Aadhaar Act, argue petitioners

India Asheeta Regidi Mar 16, 2018 12:41 PM IST

On Day 18 of the Aadhaar hearings, senior counsels KV Vishwanath, Arvind Grover and Meenakshi Arora presented their arguments on behalf of the petitioners.

The issues raised included that the entire Aadhaar project is beyond the Act’s objectives, the excessive data collection under KYR+ and State Resident Data Hubs (SRDHs), and the absolute failure of security in the Aadhaar system. Lastly, the chilling effect of an apprehension of surveillance and its ability to undermine a democracy were argued on.

ABBA resolves identity fraud only
Senior counsel KV Vishwanath continued his arguments, discussing the constitutionality of Aadhaar based biometric authentication (ABBA). It was argued that frauds related to the PDS scheme were of three types — eligibility fraud involving ineligible persons registering for benefits, quantity fraud involving eligible persons receiving less than their entitlement, and identity fraud involving claiming an eligible person’s entitlements through duplicate or ghost profiles. ABBA, it was argued, resolves only the third type of fraud.

The State needs to justify the serious infringement of rights via Aadhaar
The government, further, assumed that identity fraud was the only cause of leakages. In addition, old reports pre-dating the Aadhaar scheme had been used to make assessments on leakage. As a result, the State could not show that the increased benefits and saving due to Aadhaar were of a magnitude to justify the serious infringement of rights.
Further, the State had to prove that Aadhaar was necessary and proportionate and that there were no less intrusive alternatives available to achieve its objectives. This, it was argued, could not be proved since the State had failed to consider alternative methods like smart cards, social audits and food coupons to resolve leakages. This shows that the State has failed to discharge its burden with regard to infringement of Article 21.

Request for extension of Section 7 deadlines
These issues, in turn, show that privacy or balancing of interests had not been taken into account while drafting the Aadhaar Act. Lastly, the validity of the mandatory eKYC issued by the Department of Telecom was raised. The petitioners also requested an extension of the deadline for the Section 7 notifications as well.

Entire Aadhaar project goes beyond the Act’s objectives
Thereafter, senior counsel Anand Grover commenced his arguments. It was argued that the entire Aadhaar project was being operated by the state as a vehicle of myriad objectives, going way beyond the stated objectives of the Act. The divergence in the two led to Aadhaar project often being used for purposes that were unregulated or prohibited by the Act.

Excessive data collection under KYR+
To prove this, the issue of excessive and unauthorized data collection under Know Your Resident (KYR+) was raised. Only demographic and identity information could be legally collected under the Aadhaar Act. Under KYR+, additionally, data like PAN, driving license and bank account numbers, education and home ownership details, religion and caste details, etc. were also being collected.

Biometric authentication of Aadhaar. Image: Getty

Illegal sharing with SRDH
Further, there was illegal sharing of this data, such as sharing with the SRDHs. The very collection and storage of this data, it was argued, is a misuse of the Aadhaar enrolment process. The UIDAI itself, it was argued, developed the SRDH systems, and set up the mechanisms for the transfer of Aadhaar identity information to it. Such transfer is impermissible under the Aadhaar Act and a misuse of the Aadhaar enrolment processes. In addition, even though the central identities data repository (CIDR) itself is protected, the data stored in such additional locations, like the SRDHS, enrolling agencies, requesting entities, etc., was not.

No evidence of destruction of SRDH data
The petitioners further argued that there was no evidence to prove governmental claims of erasing the biometric data with third parties like the SRDHs and registrars. For this, the complexities of data destruction, such as the need for physical destruction of servers, hard disks, etc. was pointed to.

Use of biometrics violates Article 21
The next argument was on the use of uncertain and unproven biometric technology as a violation of Articles 14 and 21. It was argued that a person does not necessarily have a unique identity via biometrics. The thumbprint and iris scan together narrow the identity down, but this is still not unique. In addition, such biometrics, including iris scans, are changeable.
They argued that for matching of biometric details, there was a deduplication ratio of 1:121, which was far too high. Section 5 of the Aadhaar Act, which provides for special measures for senior citizens, persons with disabilities, unskilled workers, etc., is also an admission of the limitations of ABBA. Biometrics, thus, lead to exclusion, which is violative of Article 21.

L1 Contracts make Aadhaar insecure ab initio
Next, the issue of the contracts of UIDAI with foreign agencies for multi-modal biometric systems, the L1 contracts was raised. These agencies had complete access to the Aadhaar data, along with continuing control over the Aadhaar technology. The Aadhaar Act, it was argued, states that this data should not be with anyone else, but these agencies had access to all this data. This factor, it was argued, made Aadhaar insecure ab initio.

Complete failure to maintain data security
Further, there was a complete failure to ensure the safety of the data which is required under the law. The inherently personal nature of the data, it was argued, meant that the State must ensure its protection. If it cannot, then it cannot take the data. To show the lack of security, the numerous risks at the enrolment and authentication level, including errors and violations by the agencies were listed.
Additionally, it was argued that the Aadhaar enrolment process had been hacked at every level, but the UIDAI failed to address these issues. The ability to duplicate biometrics and the continuing acceptance of authentication even from unregistered devices were also cited. Security measures taken, it was argued, were only ad hoc in nature.

Violation of interim orders of the SC
Lastly, the violation of the interim orders of the Supreme Court through the issuance of notifications under Section 7 was raised. The settled law, it was argued, is that once the Court has passed orders, it is the duty of all those who are bound by it to abide by it so long as it stands. The notifications mandating the use of Aadhaar were thus an impermissible executive exercise and must be set aside.

The chilling effect of an apprehension of surveillance
Senior counsel Meenakshi Arora then commenced her arguments. The first argument was on surveillance. The Kharak Singh ruling dealt with surveillance that was individual and targeted, a form of surveillance that is now a thing of the past. In S and Marper v. UK, the European Court of Human Rights recognised that not just actual surveillance, but even a reasonable apprehension of surveillance can cause a chilling effect.

Secret surveillance can undermine a democracy
Next, the European Court of Human Right’s (ECHR) judgment in Szabo v. Hungary was discussed. It was argued that while in this case, national security was used to justify secret surveillance, in the case of Aadhaar, a similar argument was being made for justifying bank linking, telephone linking and so on. In the Szabo case, it was held that the very existence of a law which permits secret surveillance, without adequate safeguards, was a violation of privacy. Aadhaar, it was argued, has been introduced by the state as a preventive measure, and this very justification has been rejected by the Court in Szabo.
Additionally, the lack of recourse for individuals had been considered to be one of the grounds of violation by the ECHR. A similar lack of recourse can be seen in the case of Aadhaar. Lastly, the ruling in the Szabo case was cited — that a system of secret surveillance set up on the grounds of defending democracy, entails a risk of undermining or even destroying democracy.

The hearings will continue on Tuesday, 20 March. The petitioners are scheduled to complete their arguments in Tuesday’s morning session.

Sources of arguments include livetweeting of the case by SFLC.in, Prasanna S and Gautam Bhatia, and Written Submissions of the counsels (KV Vishwanath and Anand Grover).

The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.
Read our past coverage of the on-going Aadhaar Supreme court hearing:

Published Date: Mar 16, 2018 12:41 PM | Updated Date: Mar 16, 2018 12:41 PM

12987 - Aadhaar still a must to avail of services, says UIDAI chief Ajay Bhushan Pandey

The CEO of UIDAI says despite SC indefinitely extending deadline for Aadhaar linking, new applicants for bank accounts, Tatkal passports and telecom services will still have to provide the unique ID number.
INDIA Updated: Mar 16, 2018 10:36 Ist

Komal Gupta 
Hindustan Times, Mumbai

File photo of chief executive officer of the Unique Identification Authority of India Ajay Bhushan Pandey. (Ramesh Pathania/Mint)
New applicants for bank accounts, Tatkal passports, mutual funds and telecom services will have to still provide their Aadhaar number to avail of services even after the Supreme Court indefinitely extended the 31 March deadline, Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India (UIDAI), said in an interview on Tuesday. The apex court extended the deadline until after it rules on petitions challenging the constitutional validity of Aadhaar. 

Edited excerpts:

What does the Supreme Court’s interim order on Tuesday mean?
The Attorney General had earlier made a statement that when the time comes the government would not be averse to extending the deadline. Based on that, when the matter came up on Tuesday again, the Attorney General said that we may extend the date for bank accounts and other services, but so far as the benefits, subsidies and services under Section 7 of the Aadhaar Act are concerned, that should remain undisturbed. The court accepted both the arguments and gave the order that for subsidies and welfare programme under Section 7, the deadline will remain as it is. For bank accounts and non-subsidy areas like passport, telecom, the linkage with the existing account, the court has directed that the interim order of 15.12.2017 shall stand extended till the matter is finally heard and the judgement is pronounced.
However, for opening new accounts, either the Aadhaar number or the enrolment ID is required. So, some reports in media saying that Aadhaar number is not any more required for bank accounts, mutual funds, telecom, etc. are not correct. In each sector, there are two types of things — the existing ones and the new ones. For the existing ones, the date has been extended, but for the new ones, such as opening of new accounts, etc., Aadhaar is required.

There seems to be some confusion with the Tatkal passports….
The Supreme Court order is clear and is applicable to passport also. In case of applying for a new Tatkal passport, Aadhaar number or enrolment ID with other documents is needed. To that extent, we did not see much change in status for Tatkal passports from the court’s order.

Many states collected their own biometric database before the Aadhaar Act was passed in 2016. In a Supreme Court hearing, the Gujarat government lawyer said that data has been destroyed after the enactment of the Act. Did UIDAI also dump some data related to them?
The other side (petitioners against Aadhaar) said that there were some states creating state resident data and that was not good as it leads to a surveillance state.
In pre-Aadhaar (Act) situation, all the state governments were our registrars i.e. they were registering people for Aadhaar. Whenever someone enrols, the demographic information i.e. name, date of birth, address and biometrics- photograph, fingerprint and iris (scan) — are collected. The states used to keep a copy and send another copy to us. The information was stored in an encrypted manner and there was a key to it. We would do the de-duplication at the backend to generate an Aadhaar number and inform you of the Aadhaar number so that you will have a database of all the persons you have registered along with the Aadhaar number now and the other information you already have.
But yes, it’s a fact that the information was available to them as it was the arrangement under which they were collecting the information itself.
There was also another situation. Suppose you have gone to a bank and have enrolled for Aadhaar, so the bank will have one copy but while filing the application form you say that I don’t have any objection if my data is shared with the entities involved in the delivery of social benefits. For such people, even though the registration has been done by the bank and bank has the biometrics..., we gave the demographic information and Aadhaar number to the state governments. So the state governments had a dataset, one dataset of the people whom they have enrolled along with their biometrics and another is the ones that they got from other registrars where they got only the demographic data. This was called State Resident Data Hub and the idea was that the state governments are involved in the various benefit schemes like MGNREGA, PDS etc. and accordingly plans (benefits of) which schemes should be given to you and which schemes should not be given to you.

However, when the Aadhaar Act came, many of these things went away. The first thing that went away was that we stopped giving one copy of the data to them. We also told them ‘please destroy all the biometric data that we have given to you before the Act.’

12986 - Aadhaar: French security expert allegedly hacks into Aadhaar app in a minute

The security expert said that his motive behind exposing the loopholes is to point the flaws to companies and help fix it.
  • Staff Published: March 14, 2018 5:05 PM IST

French security expert, Elliot Alderson, who created furore over allegedly hacking into Aadhaar database of over twenty thousand users on a single day using a simple internet search tool is again hit the news. This time, he hacked into the Aadhaar Android app in a minute.

Alderson posted a video from his Twitter account highlighting the extreme vulnerability of the Aadhaar app and how it is possible to gain access to the app even without a rooted device.

How to bypass the password protection of the official #Aadhaar #android #app in 1 minute.
For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.
cc @uidai @ceo_uidai

If one takes a look at the alleged hacker’s timeline, it is filled with multiple discoveries of loopholes in not only Aadhaar but other prominent businesses including BSNL, Paytm, and the Indian Postal Service. In his latest tweet, Alderson highlights the vulnerability in the website of Apollo Hospitals which potentially exposes patient data.
India Today spoke to the hacker and discovered that the name Elliot Alderson is, in fact, an alias used for social media and the real name is Baptiste Robert. The hacker identifies himself as a freelance Android developer who works for phone makers.
On discovering vulnerabilities in Aadhaar cards in a single day, Alderson told the publication, “These cards can be found on the internet. Everything is public, no hack is required. You only need to use Google. These cards have not been found on the UIDAI server.”

Also Read

He further said that it is possible to misuse the Aadhaar by accessing its Android app. Alderson explained that the main flaw with the Aadhaar Android app is that if an attacker has access to the device containing the app, it is possible to easily bypass the password mechanism and access data.
Meanwhile, the UIDAI issued a statement that by simply knowing someone’s Aadhaar, one can not impersonate and harm the person as the identification number alone is not sufficient and biometrics are the pre-requisite for such authentication processes. To this, Alderson said that UIDAI’s earlier statement of Aadhaar card being an identity document is inconsistent with the newer statement.
Alderson goes on to caution citizens against using the Aadhaar Android app saing it is complicated and one needs to be cautious when giving the Aadhaar card to anyone.

Also Read

It is unusual for someone like Alderson who does not seem to be an Indian citizen to take key interest in businesses and government projects happening here. However, Alderson is quoted as saying that he simply wants to point flaws and help companies fix it.”I’m not motivated by the money at all. Security is important. As a company, it is your duty to protect your user data,” he is quoted as saying.

UIDAI has dismissed the reports as irresponsible which appeared in a section of social and other media on security of Aadhaar system being questioned on account of a few Aadhaar cards reportedly put on the internet by some unscrupulous elements. 1/n

In a long threaded response to these reports, UIDAI has maintained that Aadhaar data is completely safe and no misuse of any kind has happened. In one of the tweets, UIDAI stressed, “Aadhaar just like any other identity document, therefore, is never to be treated as a confidential document.”

The report follows the Supreme Court announcement on the indefinite extension of the last date for linking Aadhaar to bank accounts, PAN cards, SIM cards, etc from March 31, 2018. However, for those availing services such as opening new bank accounts and applying for Tatkal passports, Aadhaar is still a mandate.

12985 - Aadhaar unique IDs in India: a qualified success?

Friday 16 March 2018 | 08:37 AM CET

Anshuman Jaswal form Kapronasia shares insights into the security and privacy concerns related to Aadhaar, which are often overlooked

This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.

The Digital India project initiated by the Government of India has made significant headway in the last few years. As part of this project, the Unique Identification Authority of India (UIDAI) has presided over the allotment of unique identification numbers to all Indian residents since 2009. Currently, more than 1.1 billion Indian citizens and residents have Aadhaar IDs, making this the largest exercise of this kind the world has ever seen. There are many potential benefits of such a scheme, but there are also concerns and pitfalls. Besides the advantages, this article also focuses on some of the security and privacy concerns related to Aadhaar, which are often overlooked.

Benefits of Aadhaar
India is the second most populous nation on earth, with more than 1.3 billion people. Having a unique identification system in place would be a fillip for the government, as it would allow government schemes for poverty alleviation and improvement in health and educational well-being to be better targeted. For example, if a needy person’s bank account is linked to their Aadhaar biometric ID, then it would be easier for the government to provide funds to the individual without using any intermediary. In a country struggling with corruption throughout the government machinery, being able to reach the target audience directly is a significant benefit. Similarly, if both the bank accounts and the tax IDs of individuals are linked to the Aadhaar ID, then the government can trace the income and expenditure of its citizens, thereby obtaining vital information that would allow it to counter money-laundering and the shadow economy.

Security challenges are paramount
Creating a monumental technology infrastructure to meet the requirements of a population of more than 1.3 billion people does not come without its problems. Many people have questioned the wisdom of concentrating so much critical personal information in a government platform that is not known for having a robust security framework. There have been two prominent instances in which the Aadhaar database has been compromised.

In May 2017, the Bengaluru-based Centre for Internet and Society (CIS) alleged that there had been an illegal breach of the database, and Aadhaar identity numbers of more than 130 million people had been leaked online, along with their dates of birth, addresses, and tax IDs (PAN). It is believed that the revealed information did not include the biometric identification of the people affected, but the breach was significant nonetheless as it exposed millions of people to possible fraud.
The response of the UIDAI was also insightful, because it asked the CIS to reveal on which servers the data was stored, and who might have been responsible for the breach. The UIDAI response quoted the relevant laws, namely sections of the Information Technology Act, 2000 and the Aadhaar Act, underlining the liability under law. The aggressive approach of the UIDAI forced the CIS to retract some of its claims, but then the focus of the discussion was shifted from the loss of critical information to the semantics of the claims of CIS. Instead of calling the breach a “leak”, after receiving the letter from UIDAI, CIS stated that it was merely an “illegal disclosure”.

The second instance of a breach occurred between January to July 2017, when an IT expert hacked into the Aadhaar-enabled e-hospital system created under the Digital India project of the Government of India. His intention was to access the central identities data repository of UIDAI for verification of Aadhaar numbers, to be used for an ‘eKYC Verification’ app created by him. The UIDAI database gave him access considering that it was the e-hospital system that was requesting the Aadhaar identity verification. The hack shows that the security protocols of the UIDAI require significant overhaul before it can be trusted to protect the hundreds of millions of digital identities in its database.

Aadhaar and the right to privacy
The Indian constitution does not mention a right to privacy. This has been raised as a serious concern by the critics of Aadhaar, since there is no related privacy framework that outlines how the government can use the Aadhaar information. However, the Supreme Court of India addressed some of these concerns when it stated, in August 2017, that privacy is a fundamental right under the Constitution with reasonable restrictions. It was a landmark decision in the Indian context, since it could affect the way in which the unique identification data is collected, and especially the means for which it is used. For example, in the past, the government has mandated that Aadhaar data to be linked to citizens’ information from bank accounts, tax filings, medical records and phone numbers. Once this is achieved, the government would have unregulated access to such information. There is currently no statute or legal precedent to guard against abuse or to allow an individual to file a complaint.
The Supreme Court decision gives encouragement to citizens and institutions that are concerned about the rights of ordinary individuals, while also laying the groundwork for further work that needs to be done to create a robust legal framework in this field.

About Anshuman Jaswal

Dr. Anshuman Jaswal is Director, Capital Markets and Head of Indian Financial Services at Kapronasia. He has extensive research and consulting experience, and has written more than 100 reports on a variety of topics in financial services.

12984 - 0 Aadhaar questions answered for you - Live Mint

The Supreme Court has extended the Aadhaar linking deadline indefinitely. How does this affect you? We answer some of your questions

Last Published: Wed, Mar 14 2018. 08 16 PM IST

The deadline for linking mobile phones and bank accounts has been extended, but you’ll still need the unique ID for opening a bank account and applying for a tatkal passport. Photo: Pradeep Gaur/Mint

The Supreme Court has stepped in and pushed the Aadhaar linking deadline just a few days short of 31 March. Some respite, this. But how do you cope in an Aadhaar-prepped world? From hotels to healthcare to financial services, everyone seeks to authenticate you through Aadhaar. What do you need to do if it’s the only ID card they’ll accept? Mint steps back and looks at 10 questions you need to answer before you flash your Aadhaar card.

What is the new deadline?
The deadline for linking mobile phones, bank accounts, and other several financial services to Aadhaar has been extended. Once the Supreme Court has decided on Aadhaar-related matters, a new deadline may be announced. A constitution bench of the court is hearing cases challenging the constitutional validity of Aadhaar Act, as well as that of linking it to various services. On 15 December 2017, Supreme Court had extended the deadlines for linking it to government-subsidized welfare schemes and services and set 31 March 2018 as the new deadline. However, this time it has been extended indefinitely except for welfare schemes and subsidies. The Supreme Court had also said that Aadhaar should be purely voluntary and that it could not be made mandatory until the matter is finally decided by the court.

So I don’t need an Aadhaar for a new bank account?
No, you still need an Aadhaar or an Aadhaar enrolment ID to open a new bank account. While the 15 December order had extended the deadline to link existing bank accounts with Aadhaar, it did allow that the Aadhaar enrolment ID be submitted to banks to open a new bank account. However, other financial services like buying insurance and mutual funds can still be done without Aadhaar. The extension also applies to the linking of PAN with Aadhaar.

What must I link with Aadhaar?
The government had made it mandatory to link Aadhaar with several services including bank accounts, mutual funds, insurance policies and small savings schemes like the Public Provident Fund. This was done through amending the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. Also, the permanent account number (PAN) had to be linked with Aadhaar in order to file income tax returns. Mobile phone connections were also to be linked with Aadhaar. 

In addition to these services, several state and central government welfare schemes were to be linked with Aadhaar. This included schemes that involved getting a subsidy through direct benefit transfer like subsidy for LPG or scholarships, among others. The deadline extension is not for these welfare schemes and subsidies. For these, the deadline remains 31 March.

What if I don’t link?
For now, you don’t have to. However, if the Supreme Court finally decides that the services need to be linked to Aadhaar, you will have to do so. But what happens if you don’t link even after that? The financial institutions we spoke to are not clear what will happen if an individual fails to link Aadhaar with these services. However, according to the amended Prevention of Money Laundering rules, in case the bank account holder fails to do so, her access to the account will be blocked, and will be granted only after Aadhaar, or proof of enrolment in Aadhaar, have been submitted.

While it is clear as per rules that the access to bank accounts could get blocked, it is not clear yet if account holders will continue to earn interest on their deposits or savings in case of PPF, or servicing of insurance policies would stop altogether.

Can I delink Aadhaar?
As of now, there is no provision or mechanism to delink the Aadhaar that is already linked with some service or welfare scheme.

I have been getting reminders from banks and telecom companies. Even though the deadline has been extended, should I link Aadhaar?

As long as the Supreme Court does not give a final decision, no services, including bank accounts or mobile connections, can be discontinued by the service providers for the want of Aadhaar. If the linking systems are active, it is up to you to decide if you want to link it with the services.

Will I lose out on something if I do not link the services?
No, financial and telecom services will not be affected. Your accounts or phone connections cannot be discontinued. Moreover, the UIDAI has specifically insisted that no essential services like hospitalization, medical help, school admissions or ration through PDS, can be denied to a beneficiary if she does not have Aadhaar or Aadhaar authentication does not work. 

“Under no circumstance, anyone can be denied a service just because he/she doesn’t have an Aadhaar. If one does not have Aadhaar or if Aadhaar online verification is not successful due to some reason, the agency or department has to provide the service as per Section 7 of Aadhaar Act, 2016 and Office Memorandum dated 19 December 2017 by using alternate means of identification…” the UIDAI said in a press release in February.

What happens if I don’t give Aadhaar for government schemes?
The UIDAI has insisted that essential services like hospitalization and PDS will not be denied. Also, Section 7 of the Aadhaar Act provides some scope for other forms of authentication. However, direct benefit transfers, which means receiving money directly in bank account as a subsidy or government scholarship, could be discontinued if Aadhaar is not provided.

Can private companies ask for Aadhaar number?
The UIDAI provides authentication services to several service providers including private companies, which can be used to establish the KYC details of an individual. Service providers using this facility are to be registered with the UIDAI as Authentication User Agencies or e-KYC User Agency. The list of active AUAs or KUAs is available on the UIDAI website)

What do I do if some private service provider asks me for my Aadhaar number?
As long as the Supreme Court does not make a final decision, any commercial service-provider cannot insist on only Aadhaar. In case of hotels, an identity proof can be asked for and the hotel should accept any government approved identity proof. If a hotel or any other service provider denies services just for Aadhaar, you can ask them to give this in writing and threaten with legal action since there is no redress for you through the UIDAI.

(The answers have been complied based on discussions with lawyers, executives of financial services companies, government officials, CBDT spokesperson; and information available on the UIDAI website.)

First Published: Wed, Mar 14 2018. 06 47 PM IST

12983 - SC order on Aadhaar puts a hole in mobile wallet plans - Economic Times

SC order on Aadhaar puts a hole in mobile wallet plans

By Pratik Bhakta

Now with the top court’s decision to indefinitely extend deadline for mandatory linking of Aadhaar for services, times are only expected to get tougher for the mobile wallet industry. 

BENGALURU: The Supreme Court’s decision to indefinitely push Aadhaar linking of bank accounts and telecom services is a setback for mobile wallet companies such as Paytm and MobiKwik that are trying to complete mandatory KYC (know your customer) verification of their customer base. 

Prepaid payment issuers (PPIs) were relying heavily on the Aadhaar interface to accomplish KYC of their customer base. But in the wake of the Supreme Court’s decision on Tuesday, consumers may hesitate to share biometric details with these companies, industry insiders said. 

This is a double whammy for payment firms that are running against time to retain their existing user base because the Reserve Bank of India’s deadline to accomplish complete KYC of their customers ended on February 28. 

“Timing could not be worse for this SC decision, it’s leading to all sorts of confusion,” MobiKwik CEO Bipin Preet Singh tweeted. 

While the central bank had allowed any government approved ID card for KYC verification, companies have been extensively using the UIDAI (Unique Identification Development Authority of India) biometric database to validate their consumers because it’s faster and cheaper. “While there are other forms of doing the KYC, paper document-based processes are inconvenient for the user and expensive for the company,” said a CEO of a payment company. “With Aadhaar, authentication of the user is digital and quick.”

A senior executive of a VC firm, which has multiple investments in the fintech space, said: “Companies can do the Aadhaar-based KYC at less than may be Rs 25, but in the past if paper-based KYC had to be done it would cost as much as Rs 500.” Then there is also security risk. If paper documents are collected, they have to be manually matched against the picture and personal details submitted by the consumer, which may expose the setup to fraudsters, industry insiders said. 

Most wallet companies plan to go ahead with Aadhaar verification process as there has been no instruction to stop it even as they open up their systems to various physical documents such as driving licence and PAN (permanent account number) card. “We are allowed to do KYC with other government-approved documents as well and we will continue to do so,” said Sunil Kulkarni, joint MD at payment solutions firm Oxigen Services. “However, the pace at which consumers are getting their KYC done is yet to pick up and response is still slow,” he said. 

Read more at:

Read more at:

12982 - Aadhaar Articles Dated 16th March 2018

Economic Times
A senior executive of a VC firm, which has multiple investments in the fintech space, said: “Companies can do the Aadhaar-based KYC at less than may be Rs 25, but in the past if paper-based KYC had to be done it would cost as much as Rs 500.” Then there is also security risk. If paper documents are ...

The french security research, Baptiste Robert (alias Elliot Alderson on Twitter), brought India's data security issues into the limelight again. This time he hacked into the Aadhaar app, bypassing the programs password protection protocol within a minute. The Internet has been in an uproar about how ...

The Paypers (press release) (blog)
Currently, more than 1.1 billion Indian citizens and residents have Aadhaar IDs, making this the largest exercise of this kind the world has ever seen. There are many potential benefits of such a scheme, but there are also concerns and pitfalls. Besides the advantages, this article also focuses on some of ...

Inc42 Media
Inspired by the popular award-winning cybersecurity-based American TV series Mr. Robot's protagonist Elliot Alderson's quote “A bug is never just a mistake. It represents something bigger. An error of thinking that makes you who you are,” an anonymous hacker has now rebuked the Aadhaar security of ...

New Delhi: Following the Supreme Court's interim order indefinitely extending the deadline for linking Aadhaar to various services, the chief executive officer of the Unique Identification Authority of India (UIDAI), Ajay Bhushan Pandey attempts to clear the confusion on mandatory use of Aadhaar.

On Day 18 of the Aadhaar hearings, senior counsels KV Vishwanath, Arvind Grover and Meenakshi Arora presented their arguments on behalf of the petitioners. The issues raised included that the entire Aadhaar project is beyond the Act's objectives, the excessive data collection under KYR+ and State ...

Business Today
Aadhaar procrastinators around the country could not stop gloating yesterday, after the Supreme Court indefinitely extended the March 31 deadline for mandatory linking of the UID number to various services and facilities, barring subsidies and benefits. But then, in a late evening tweet, the Unique ...

Live Law
On Day 18 of the Aadhaar final hearing, Senior Counsel KV Viswanathan resumed his submissions on the point that the government has been unable to satisfactorily prove how Aadhaar-Based Biometric Authentication (ABBA) has contributed towards savings and the plugging of leakages in social ...

The Hindu
The attempt to regulate the quantum of rice drawn by beneficiaries of the Public Distribution System (PDS) has not met with much success. Neither Aadhaar seeding of ration cards nor the introduction of 'smart cards', which were supposed to remedy this situation, helped. In February 2017, the quantity of ...

Several families have been denied a ration card — primarily because of lacking Aadhaar — despite meeting the criteria for inclusion in the Public Distribution System under the National Food Security Act (NFSA) 2013. Debashish, a sarpanch from Koraput in Odisha, said that out of the 1,393 households ...

Yavatmal, Maharashtra: A group of youth found hundreds of Aadhaar cards dumped in a well in the district while they were cleaning it, an official said ... On opening the bags, to their surprise, they found hundreds of original Aadhaar cards, mostly of the residents of Lohara village, located on the city's ...

On Day 17 of the Aadhaar hearing on 14 March, senior counsel KV Vishwanath continued his arguments for the petitioners. The validity of Section 59 as a validating provision of the Aadhaar Act, the de facto mandatory nature of Aadhaar, and the arbitrary and disproportionate collection and storage of ...

The Tribune
When asked, the operator said since he did not have a facility to print Aadhaar cards at his counter, he had to save all files on his laptop. “We take the biometrics of people, create pdf files of their Aadhaar cards and save these in our laptops. As we do not have the facility of a printer, we print it later at a ...

Gadgets Now
No IT systems across the world can claim to be safe, including Aadhaar, due to rise in complexity of cyber attacks, Indian arm of London Stock ... When asked his view on Aadhaar, which claims to be completely safe and secure, he said "in terms of vulnerabilities, no one can claim that his system is 100 ...

Live Law
On Day 17 of the Aadhaar hearing, senior counsel KV Viswanathan continued his submissions on behalf of the petitioners in context of Section 59 of the Aadhaar Act of 2016, which lays down that all actions taken or anything done prior to the coming into force of the Act shall be deemed to have been ...

Business Standard
The Committee also discussed the issues about expediting the process of the issuance of Aadhaar card and asked the concerned officials that maximum efforts be made for the age group of 0-5 age where only 8 per cent children are covered so far, the spokesperson said. Legislators Vibodh Gupta ...

The Supreme Court order to indefinitely extend the deadline for linking Aadhaar to bank accounts and phone number has become a setback for mobile wallet companies, according to a report by The Economic Times. Customers might be wary of sharing KYC details with mobile wallet companies such ...

Aadhaar card data continues to be available publicly on the internet, as can be seen from a simple google search for “mera aadhar meri phechan filetype:pdf”. Not only are printable Aadhaar cards available publicly, many results are found on government and private domains that have no business ...

Mr. Vishwanathan submitted that the presumption of criminality inherent in the collection of identity information that is the premise of the Aadhaar system is ... He said that in case of Aadhaar, biometric data of individuals is collected by enrollment agencies who are private entities. said that there is no ...