Table of Contents
I wrote this piece as a rant in response to a question on Quora: What is Wrong with India
Well what is wrong with India?
Right now? As of December 2017, it’s this poor implementation of a technology that’s making the lives of Indian citizens miserable.
Touted by UIDAI and the Modi government as a ground-breaking solution for all your problems. Well, they are partially right. It’s only ground-breaking, as in - literally breaking the ground over which every other good thing stands on. Solution? Nope!
Why, you ask? Well, let’s see -
What is Aadhaar?
It’s a 12 digit unique-idenity number, which the Indian Government intends to issue to every citizen. Think of it as your national ID. It’s also the world’s largest biometric ID system - over 99% of Indians above 18 have already enrolled for Aadhaar.
What kind of information is captured?
A plethora of data, starting from your name, birthdate, address, biometric details like finger-prints and retina scans.
What is it supposed to solve?
It’s supposed to vastly improve the speed and delivery of services to Indian citizens - ranging from financial transactions, government services, medicine, education, telecom, internet, preventing money laundering and fraud, terrorism…the list is huge. Notice I said supposed to.
For this, you gotta link your Aadhaar card to every damn thing under the Sun - starting from mobile operators, bank accounts, health records, college admissions, pension schemes, mutual funds, and so forth.
Allright, now that you know what it is, let’s address the elephant in the room.
Why is it shitty?
- Because linking every essential service to one single ID is dangerous and a design flaw.
- Because Aadhaar isn’t secure, and the authorities have been turning a blind eye.
- Because Aadhaar related fraud and malpractices are becoming common-place.
Let’s examine these points, one by one:
1: Is Aadhaar ID unique / robust ?
Did you notice the “supposed to be” part earlier? Here are some of the numerous goof-ups that’s happened over time:
- Maharashtra Loan Waiver Hits Roadblock as Lakhs of Farmers With Same Account, Aadhaar Numbers Listed
- Everyone in this Uttarakhand village has the same birth date on their Aadhaar cards
- Underage girls who were rescued from brothels were sent back because their Aadhaar card showed them as majors.
This is by no means an exhaustive list. There are so many instances where people have been denied essential services because their Aadhaar had faulty data.
Take for example, the Aadhaar enrollments until Jan 2017. Out of 15 Crore Enrollments, over 6 crore enrollments had duplicate biometrics.
2. Is it consensual/voluntary?
Entire families dying of starvation because they didn’t have Aadhaar and were denied food rations.
Everyone - from telecoms to banks to even pension schemes - are threatening to disrupt their services if you don’t link your Aadhaar card.
Yes, arm-twist the fuck out of me to link my Aadhaar to LIC or else threaten to freeze the policy. And when I do it, you make me click on a disclaimer that says I VOLUNTARILY give my consent.— MJ (@jay4nth) December 6, 2017
NO, I DO NOT VOLUNTARILY GIVE MY CONSENT YOU FUCKING GOONDA AADHAR MAFIA! pic.twitter.com/D3rO3lu64X
Strong-arming you into giving your Aadhaar and biometric information, threatening to freeze your services, and then making you click a disclaimer saying that you “voluntarily give your consent”, is not consent.
It’s like someone holding a gun to your forehead, and making you sign a document that says that you willingly handed over your wallet!
Is it secure?
No. First of all,
It’s faulty to assume that bio-metric information is tamper-proof. It isn’t. It can be easily compromised.
Finger-prints and iris information can be easily copied using a good smartphone. Moreover, if someone decides to use a fake fingerprint authentication machine, how would you even know? What about those who are technologically illiterate?
Sure, debit cards and driving licenses can be tampered with, too. But they can be replaced. You fingerprints however, cannot.
Fingerprints also can get worn out, they could even change as the years go by, or if you’re into labor work. Read about how many workers in Telengana were denied employment benefits because their Aadhaar couldn’t be authenticated.
There has been numerous data breaches over the past 1 year. Millions of Indian citizens personal information have been compromised and put at risk.
Earlier this year:
- Over 130 million Indian citizens Aadhaar linked data, such as names, addresses and bank account details were put up over 200 websites for months.
- The CIA reportedly has Aadhaar linked data of millions of citizens
- At Vishakhapatnam, over 15% of Passport applications were attached with fake Aadhaar Cards. That’s right, forging Aadhaar cards is easy, and officials aren’t even equipped enough to detect fake ones from real ones.
- The OTPs issued by UIDAI are over insecure channels.
- No respite to HIV patients.
But the biggest scam of them all happened this December.
You thought when I said by frauds happening, I meant individual criminals are doing it? Think again. The latest fraud was not done by one individual, it was done by an entire freaking telecom company.
Been screaming hoarse about how Aadhaar can be used as a tool for fraud. I was assuming that individuals with criminal intent would be misusing it.— meghnad 🔗 (@Memeghnad) December 20, 2017
BUT something WAY bigger happened.
Due to Aadhaar's shit design, a whole telecom company did fraud!https://t.co/hbcaDOhhd0
Lakhs of people had their LPG subsidies credited to accounts they didn’t even open or knew even existed!
Some common arguments in support of Aadhaar
I frequently hear these during Aadhaar related discussions:
#1: In USA, citizens are also given unique identity number, so what’s the harm if we have one?
Aadhaar isn’t anything like Social Security Number. Does SSN rely on biometric authentication for providing services? No! What do you think happens in USA if someone’s SSN fails to authenticate?
#2: What’s wrong in linking everything to one ID? Isn’t it better to have one ID proof rather than having multiple IDs?
No, because you’re creating a Single Point of Failure. When you keep adding more and more services to a single National ID, you’re putting everything at risk, it becomes a central point of attack. All that someone needs to do to introduce chaos, is to attack that single point. Everything else would collapse.
Have you wondered why if your passport gets stolen, it doesn’t affect your bank account? That’s because one doesn’t necessarily rely on the other. You have options to use alternate IDs. Does the theft of your driving license affect your mobile phone usage? No, because again - they don’t necessarily have to be connected to each other.
Now think, what would happen if these unrelated services were inextricably linked?
When the entire world is trying to move towards decentralized systems, like cloud services, blockchain, even AI - why would you want to compromise personal and private information by storing them all under one single repository?
#3: You don’t have any problem with giving information to Google / Facebook, so why not for Aadhaar?
Does Facebook or Google threaten to disrupt / de-activate all their services if you don’t give them your Aadhaar information, unlike Bank accounts or telecom operators? Do they coerce you into sharing critical bio-metric information? No! Moreover,
Facebook, Google and Twitter are luxuries, not essential services. You can opt out of them at any time.
Is having a Facebook, Google or Twitter account essential in living a normal life? We are talking about essential services - like education, finance, health services and telecoms. When your very life/livelihood depends on them, it becomes all the more important that tampering with one doesn’t mess with the entire fucking system.
#4: No technology is fool-proof. Rather than criticizing it, you should work towards making it better.
As of now, Aadhaar is the only platform in the world with over a billion of users, with no formal bug reporting policy. You have to rely on Twitter and other means to report issues. Do you think that the vast majority of Indians use Twitter to voice their grievances?
What did UIDAI actually do to make the system better, apart from claiming every single time that the data breaches were not their fault? They attempt to fix things only after the damage is already done, until then they don’t pay heed.
People have been arrested for pointing out loopholes in Aadhaar - Article says Aadhaar can be hacked, FIR against writer
India neither has strong data security laws, nor is it any clear as to who is accountable in case anything goes wrong. Its become an excuse for officials to put the blame on technology, to divert attention from their own incompetency.
#5: But how is it Aadhaar’s fault? Isn’t it the fault of Airtel / other criminal individuals / other elements? Why are you blaming Aadhaar for this?
Let me ask you something. Imagine there’s a builder, who has government support and is coercing you to put all your belongings in the home he has built for you. He claims it’s the most secure system there is, because it has a lock and key.
But your house keys are left out in the open. Duplicates made, all given to 3rd parties. You’re screaming hoarsely, asking him not to do that, but he doesn’t give a shit. Why? Because the house has a lock and key, so it’s secure, yay! What’s worse? Many people do get gullible and believe that their belongings are safe, just because there’s a lock and key.
You discover a secret trap-door through which people can enter your home without keys. You start noticing things disappearing from your home. And you’re pleading with the builder and government to fix the existing loop-holes. All fall on deaf ears.
A key can’t protect you if it falls into wrong hands. If you’re using a key, the onus lies on you to make sure that you don’t keep handing it out to people like candy.
Tomorrow, your home gets ransacked. Are you still gonna say - “Oh, but it’s not the builder’s fault, it’s the fault of those criminals!"? Who takes the blame? Who is to be held accountable if that happens?
The question that you should be asking is - “How was this allowed to happen in the first place?"
#6: It can be used to prevent terrorism / catch illegal immigrants.
Funny thing - Hundreds of Rohingya Muslims have been caught possessing Aadhaar cards. And these illegal immigrants weren’t caught BECAUSE of Aadhaar. Co-relation does not equal causation. They were first caught, AND THEN were found to have Aadhaar cards.
Getting Aadhaar card is child’s play - all you need is to live in the country for 182 days.
Allright, so what can we (as citizens) do about it?
Don’t blindly believe in technology. Question its purpose. If you’re a software engineer, you know how important testing edge-cases are before you deploy something.
Technology is not going to achieve miracles on its own. Blind faith in it is just superstition. Problems get solved only if you really want to solve them in the first place.
Until Aadhaar’s existing loopholes are fixed and its implementation made robust, it should not be made mandatory. Else it’ll continue to be a danger to your fundamental rights to privacy. Unless strong and formal data security laws are in place, it has the potential to be used as a tool for surveillance, and criminal elements to misuse it.
Aadhaar linking has been postponed to 31st March. That means we still have time to prevent its forceful linking to everything.
- Use resources from this website to send an email to your telecom operators, banks and local MPs. It’s a one minute process, and it’ll help form petitions and voice our concerns to the Supreme Court. These emails will definitely have an impact.
Over 30,000 emails have been sent so far using this website. You can check the latest statistics here.
Speak to your friends and family and ask them to raise their concerns as well.
- Register your demand to opt-out from this whole Aadhaar mess.
- Lastly, use these resources to educate yourself and spread awareness:
If you’re curious, spend some time to Google - you’ll un-earth several more of these issues. I can’t possibly list all of them here - the answer has already become too big.
I’ve discussed about 6 questions that had come up during discussions above. Some more questions were raised on the original post on Quora:
#7: Cars cause car accidents, doesn’t mean that we go back to horse carriages.
Until cars atleast are manufactured with doors and safety-belts, proper traffic laws and rules are in place, roads are made safer - it shouldn’t be made mandatory for you to drive a vehicle.
#8: Nothing is 100% secure / Aadhaar is secure.
Really, after reading all that? Sure, I’ll indulge you. Sure, nothing is secure. Even Google or Facebook doesn’t claim to be 100% secure. But at-least some yardstick of safety need to be achieved first. No car manufacturer claims that their car is 100% safe and can survive any accident, but at-least a car should have doors and a seat-belt in place. Have some benchmarks for God’s sake.
First you manufacture a car without doors or seat-belts, make it compulsory to use, and then go around claiming that it is secure/safe? And when shit goes down, you claim that no other car is 100% secure either?! That’s not a very logical argument.
#9: Google / Facebook / others have all of your data.
The problem isn’t with having someone’s data. The concern lies in what you do with the data, how securely you keep it, and whether you inform people what’s being done with the data.
Google isn’t using your finger-prints and IDs to create bank-accounts and reroute money without your consent. Google did not have such a shoddy security that it allowed your data to get leaked over 200 websites. If something goes wrong, Google will be held accountable and will face class-action lawsuits.
And storing bank information IS A CHOICE. I have not given my Bank account details to Google till now. What happened, did Google threaten to discontinue their service?
As I mentioned earlier, using Google isn’t mandatory. You can still survive and live a life if you choose not to use Google.
#10: UIDAI / Government is making efforts to correct its flaws.
Not really. Wanna know what happened after the latest Airtel fiasco?
The latest news is that LPG subsidies can continue to exist and be deposited** in Airtel Payments Bank accounts!
Apart from temporarily suspending Airtel’s e-KYC license, UIDAI has put a fine of Rs. 2.3 Crore on the company. Which seemed good at the time, but few days later it again reinstated Airtel’s eKYC license! And earlier individuals have been arrested and trolled for pointing out flaws. No formal bug reporting policy either.
UIDAI tries hard to shirk responsibility unless noise is made.
Look at their response on Twitter, which says that it’s the customers job to ask the status of their money.
If it is indeed trying to change things, its because people have been criticizing it and now it’s being forced to. **Why wait for shit to go down before you start to finally realize your mistakes? Why allow things to escalate to this level?
Prevention is surely better than cure, don’t you agree?
Seems like people need dramatic examples to shake them out of apathy. Sometimes, things don’t get better unless you force it to happen.