The Aadhaar Anxiety
Modern technology gone berserk
aging
- đïž Date:
- đïž Last modified:
- â±ïž Time to read:
Table of Contents
I wrote this piece as a rant in response to a question on Quora: What is Wrong with India
Well what is wrong with India?
Right now? As of December 2017, itâs this poor implementation of a technology thatâs making the lives of Indian citizens miserable.
Aadhaar.
Touted by UIDAI and the Modi government as a ground-breaking solution for all your problems. Well, they are partially right. Itâs only ground-breaking, as in - literally breaking the ground over which every other good thing stands on. Solution? Nope!
Why, you ask? Well, letâs see -
What is Aadhaar?
Itâs a 12 digit unique-idenity number, which the Indian Government intends to issue to every citizen. Think of it as your national ID. Itâs also the worldâs largest biometric ID system - over 99% of Indians above 18 have already enrolled for Aadhaar.
What kind of information is captured?
A plethora of data, starting from your name, birthdate, address, biometric details like finger-prints and retina scans.
What is it supposed to solve?
Itâs supposed to vastly improve the speed and delivery of services to Indian citizens - ranging from financial transactions, government services, medicine, education, telecom, internet, preventing money laundering and fraud, terrorism…the list is huge. Notice I said supposed to.
For this, you gotta link your Aadhaar card to every damn thing under the Sun - starting from mobile operators, bank accounts, health records, college admissions, pension schemes, mutual funds, and so forth.
Allright, now that you know what it is, let’s address the elephant in the room.
Why is it shitty?
- Because linking every essential service to one single ID is dangerous and a design flaw.
- Because Aadhaar isnât secure, and the authorities have been turning a blind eye.
- Because Aadhaar related fraud and malpractices are becoming common-place.
Letâs examine these points, one by one:
1: Is Aadhaar ID unique / robust ?
Did you notice the “supposed to be” part earlier? Here are some of the numerous goof-ups thatâs happened over time:
- Maharashtra Loan Waiver Hits Roadblock as Lakhs of Farmers With Same Account, Aadhaar Numbers Listed
- Everyone in this Uttarakhand village has the same birth date on their Aadhaar cards
- Underage girls who were rescued from brothels were sent back because their Aadhaar card showed them as majors.
This is by no means an exhaustive list. There are so many instances where people have been denied essential services because their Aadhaar had faulty data.
Take for example, the Aadhaar enrollments until Jan 2017. Out of 15 Crore Enrollments, over 6 crore enrollments had duplicate biometrics.
2. Is it consensual/voluntary?
The government wants pregnant women to enroll in Aadhaar to get their social scheme benefits
Entire families dying of starvation because they didnât have Aadhaar and were denied food rations.
Narasimha Talks about 3 starvation deaths in dalit family in Gokarna after denial of food rations for lack of aadhaar #KillerAadhaar pic.twitter.com/2piEUugBk0
— đđ»đ¶đđźđż đđżđźđđ¶đ»đ± (@anivar) October 26, 2017
Everyone - from telecoms to banks to even pension schemes - are threatening to disrupt their services if you donât link your Aadhaar card.
Yes, arm-twist the fuck out of me to link my Aadhaar to LIC or else threaten to freeze the policy. And when I do it, you make me click on a disclaimer that says I VOLUNTARILY give my consent.
— MJ (@jay4nth) December 6, 2017
NO, I DO NOT VOLUNTARILY GIVE MY CONSENT YOU FUCKING GOONDA AADHAR MAFIA! pic.twitter.com/D3rO3lu64X
Strong-arming you into giving your Aadhaar and biometric information, threatening to freeze your services, and then making you click a disclaimer saying that you “voluntarily give your consent”, is not consent.
Itâs like someone holding a gun to your forehead, and making you sign a document that says that you willingly handed over your wallet!
Is it secure?
No. First of all,
It’s faulty to assume that bio-metric information is tamper-proof. It isnât. It can be easily compromised.
Finger-prints and iris information can be easily copied using a good smartphone. Moreover, if someone decides to use a fake fingerprint authentication machine, how would you even know? What about those who are technologically illiterate?
Sure, debit cards and driving licenses can be tampered with, too. But they can be replaced. You fingerprints however, cannot.
Fingerprints also can get worn out, they could even change as the years go by, or if youâre into labor work. Read about how many workers in Telengana were denied employment benefits because their Aadhaar couldnât be authenticated.
There has been numerous data breaches over the past 1 year. Millions of Indian citizens personal information have been compromised and put at risk.
Earlier this year:
- Over 130 million Indian citizens Aadhaar linked data, such as names, addresses and bank account details were put up over 200 websites for months.
- The CIA reportedly has Aadhaar linked data of millions of citizens
- At Vishakhapatnam, over 15% of Passport applications were attached with fake Aadhaar Cards. Thatâs right, forging Aadhaar cards is easy, and officials arenât even equipped enough to detect fake ones from real ones.
- The OTPs issued by UIDAI are over insecure channels.
- No respite to HIV patients.
But the biggest scam of them all happened this December.
You thought when I said by frauds happening, I meant individual criminals are doing it? Think again. The latest fraud was not done by one individual, it was done by an entire freaking telecom company.
Been screaming hoarse about how Aadhaar can be used as a tool for fraud. I was assuming that individuals with criminal intent would be misusing it.
— meghnad (Nerds ka Parivaar) (@Memeghnad) December 20, 2017
BUT something WAY bigger happened.
Due to Aadhaar's shit design, a whole telecom company did fraud!https://t.co/hbcaDOhhd0
Lakhs of people had their LPG subsidies credited to accounts they didnât even open or knew even existed!
Some common arguments in support of Aadhaar
I frequently hear these during Aadhaar related discussions:
#1: In USA, citizens are also given unique identity number, so whatâs the harm if we have one?
Aadhaar isnât anything like Social Security Number. Does SSN rely on biometric authentication for providing services? No! What do you think happens in USA if someoneâs SSN fails to authenticate?
#2: Whatâs wrong in linking everything to one ID? Isnât it better to have one ID proof rather than having multiple IDs?
No, because youâre creating a Single Point of Failure. When you keep adding more and more services to a single National ID, youâre putting everything at risk, it becomes a central point of attack. All that someone needs to do to introduce chaos, is to attack that single point. Everything else would collapse.
Have you wondered why if your passport gets stolen, it doesnât affect your bank account? Thatâs because one doesnât necessarily rely on the other. You have options to use alternate IDs. Does the theft of your driving license affect your mobile phone usage? No, because again - they donât necessarily have to be connected to each other.
Now think, what would happen if these unrelated services were inextricably linked?
When the entire world is trying to move towards decentralized systems, like cloud services, blockchain, even AI - why would you want to compromise personal and private information by storing them all under one single repository?
#3: You donât have any problem with giving information to Google / Facebook, so why not for Aadhaar?
Does Facebook or Google threaten to disrupt / de-activate all their services if you donât give them your Aadhaar information, unlike Bank accounts or telecom operators? Do they coerce you into sharing critical bio-metric information? No! Moreover,
Facebook, Google and Twitter are luxuries, not essential services. You can opt out of them at any time.
Is having a Facebook, Google or Twitter account essential in living a normal life? We are talking about essential services - like education, finance, health services and telecoms. When your very life/livelihood depends on them, it becomes all the more important that tampering with one doesnât mess with the entire fucking system.
#4: No technology is fool-proof. Rather than criticizing it, you should work towards making it better.
As of now, Aadhaar is the only platform in the world with over a billion of users, with no formal bug reporting policy. You have to rely on Twitter and other means to report issues. Do you think that the vast majority of Indians use Twitter to voice their grievances?
What did UIDAI actually do to make the system better, apart from claiming every single time that the data breaches were not their fault? They attempt to fix things only after the damage is already done, until then they donât pay heed.
People have been arrested for pointing out loopholes in Aadhaar - Article says Aadhaar can be hacked, FIR against writer
India neither has strong data security laws, nor is it any clear as to who is accountable in case anything goes wrong. Its become an excuse for officials to put the blame on technology, to divert attention from their own incompetency.
#5: But how is it Aadhaarâs fault? Isnât it the fault of Airtel / other criminal individuals / other elements? Why are you blaming Aadhaar for this?
Let me ask you something. Imagine thereâs a builder, who has government support and is coercing you to put all your belongings in the home he has built for you. He claims itâs the most secure system there is, because it has a lock and key.
But your house keys are left out in the open. Duplicates made, all given to 3rd parties. Youâre screaming hoarsely, asking him not to do that, but he doesnât give a shit. Why? Because the house has a lock and key, so itâs secure, yay! Whatâs worse? Many people do get gullible and believe that their belongings are safe, just because thereâs a lock and key.
You discover a secret trap-door through which people can enter your home without keys. You start noticing things disappearing from your home. And youâre pleading with the builder and government to fix the existing loop-holes. All fall on deaf ears.
A key canât protect you if it falls into wrong hands. If youâre using a key, the onus lies on you to make sure that you donât keep handing it out to people like candy.
Tomorrow, your home gets ransacked. Are you still gonna say - “Oh, but itâs not the builderâs fault, itâs the fault of those criminals!”? Who takes the blame? Who is to be held accountable if that happens?
The question that you should be asking is - “How was this allowed to happen in the first place?”
#6: It can be used to prevent terrorism / catch illegal immigrants.
Funny thing - Hundreds of Rohingya Muslims have been caught possessing Aadhaar cards. And these illegal immigrants werenât caught BECAUSE of Aadhaar. Co-relation does not equal causation. They were first caught, AND THEN were found to have Aadhaar cards.
Getting Aadhaar card is childâs play - all you need is to live in the country for 182 days.
Allright, so what can we (as citizens) do about it?
Donât blindly believe in technology. Question its purpose. If youâre a software engineer, you know how important testing edge-cases are before you deploy something.
Technology is not going to achieve miracles on its own. Blind faith in it is just superstition. Problems get solved only if you really want to solve them in the first place.
Until Aadhaarâs existing loopholes are fixed and its implementation made robust, it should not be made mandatory. Else itâll continue to be a danger to your fundamental rights to privacy. Unless strong and formal data security laws are in place, it has the potential to be used as a tool for surveillance, and criminal elements to misuse it.
Aadhaar linking has been postponed to 31st March. That means we still have time to prevent its forceful linking to everything.
- Use resources from this website to send an email to your telecom operators, banks and local MPs. It’s a one minute process, and it’ll help form petitions and voice our concerns to the Supreme Court. These emails will definitely have an impact.
Over 30,000 emails have been sent so far using this website. You can check the latest statistics here.
Speak to your friends and family and ask them to raise their concerns as well.
- Register your demand to opt-out from this whole Aadhaar mess.
- Lastly, use these resources to educate yourself and spread awareness:
Update
If youâre curious, spend some time to Google - youâll un-earth several more of these issues. I canât possibly list all of them here - the answer has already become too big.
Iâve discussed about 6 questions that had come up during discussions above. Some more questions were raised on the original post on Quora:
#7: Cars cause car accidents, doesnât mean that we go back to horse carriages.
Until cars atleast are manufactured with doors and safety-belts, proper traffic laws and rules are in place, roads are made safer - it shouldnât be made mandatory for you to drive a vehicle.
#8: Nothing is 100% secure / Aadhaar is secure.
Really, after reading all that? Sure, Iâll indulge you. Sure, nothing is secure. Even Google or Facebook doesnât claim to be 100% secure. But at-least some yardstick of safety need to be achieved first. No car manufacturer claims that their car is 100% safe and can survive any accident, but at-least a car should have doors and a seat-belt in place. Have some benchmarks for Godâs sake.
First you manufacture a car without doors or seat-belts, make it compulsory to use, and then go around claiming that it is secure/safe? And when shit goes down, you claim that no other car is 100% secure either?! Thatâs not a very logical argument.
#9: Google / Facebook / others have all of your data.
The problem isnât with having someoneâs data. The concern lies in what you do with the data, how securely you keep it, and whether you inform people whatâs being done with the data.
Google isnât using your finger-prints and IDs to create bank-accounts and reroute money without your consent. Google did not have such a shoddy security that it allowed your data to get leaked over 200 websites. If something goes wrong, Google will be held accountable and will face class-action lawsuits.
And storing bank information IS A CHOICE. I have not given my Bank account details to Google till now. What happened, did Google threaten to discontinue their service?
As I mentioned earlier, using Google isnât mandatory. You can still survive and live a life if you choose not to use Google.
#10: UIDAI / Government is making efforts to correct its flaws.
Not really. Wanna know what happened after the latest Airtel fiasco?
The latest news is that LPG subsidies can continue to exist and be deposited** in Airtel Payments Bank accounts!
Apart from temporarily suspending Airtelâs e-KYC license, UIDAI has put a fine of Rs. 2.3 Crore on the company. Which seemed good at the time, but few days later it again reinstated Airtelâs eKYC license! And earlier individuals have been arrested and trolled for pointing out flaws. No formal bug reporting policy either.
UIDAI tries hard to shirk responsibility unless noise is made.
Look at their response on Twitter, which says that itâs the customers job to ask the status of their money.
If it is indeed trying to change things, its because people have been criticizing it and now itâs being forced to. **Why wait for shit to go down before you start to finally realize your mistakes? Why allow things to escalate to this level?
Prevention is surely better than cure, donât you agree?
Seems like people need dramatic examples to shake them out of apathy. Sometimes, things donât get better unless you force it to happen.