Skip to content

Since the last few weeks, there has been a sudden uptick of anonymous accounts supporting Aadhaar and dismissing concerns and news of information leaks, security and privacy issues. These accounts were all either created in may or scrubbed of all content and began tweeting afresh in May. Some of them are propaganda accounts that tweet only positives about Aadhaar and/or gloss over issues raised on grounds of law, constitutionality, fundamental rights, privacy, ethics, security, national security and so on.

Here are some of the accounts.

Out of these the @supportaadhaar has been separately claimed by Rashmi Ranjan so far

But there were more serious handles that were created in May, anonymous and interacted specifically with critics of Aadhaar in various ways that ranged from defamation to threats of legal action. For example, these handles.

It did not take us long to figure out what was going on. Prominent handles that had criticized Aadhaar on technical grounds (not lawyers, or political or ethical grounds) were the main targets. It was rapidly obvious that these were fronts for people from the tech community. Likely people profiting from Aadhaar, because it is really not plausible that the abundantly detailed flaws revealed in Aadhaar could not be understood by them.

When one of these handles, @confident_india tangled with Kiran Jonnalgadda, he was able to make an educated guess at its identity and proved it by verifying the troll account against a real phone number. That phone number belonged to the co-founder, governing body member and director of iSPIRIT - Sharad Sharma. The director of iSPIRIT was going around using a fake handle and planting allegations of profiting from criticism of Aadhaar against critics. Planting allegations about them working for foreign intelligence agencies (ironically, MongoDB that Aadhaar uses is funded by the CIA).

Allegations of foreign intelligence affiliations
Who is funded by the CIA Allegations of foreign intelligence affiliations

On a stray note, after these allegations started happening, Nandan Nilekani ("mentor" to this circus) too referred to critics of Aadhaar with vested interests from his real account while promoting that childish data free article asking personal questions related to motivations of aadhaar critics that is replied to here.

Kiran informed several of us about his investigation into this troll (aka director of iSPIRIT, Sharad Sharma) and we independently verified that his number was indeed attached to the fake account, because he knew that once he exposed Sharad Sharma in public, the phone number would immediately be removed and perhaps the anonymous account as well.

He made this video public in a tweet and later blogged about it. Thiyagarajan M, a fellow at iSPIRIT blogged a reply on medium.com as well stating that Sharad had denied the allegations and they would be investigated, while he admits that the presentation Kiran mentions exists and is just a strategy document that does not recommend anonymous trolling. He states that they were aware that some of them had created an anonymous campaign and claims it is not an official campaign by iSPIRIT. As though an official campaign would be put in writing formally.

We are aware that some volunteers and their friends have created an anonymous campaign to Support Aadhaar. This is not a troll campaign, but an informational one. It is also not an iSPIRT campaign.

I am not sure what remains to investigate. If it is about investigating how Sharad can possibly be taken off the hook, it shouldn't need an organization existing because of an authentication based product too long to realize that there really is no sane way.

No official handle related with iSPIRIT has so far published any statement to the best of my knowledge. Sharad Sharma and the troll have both promptly denied to it, of course. Except, in the process of denying that he was @confident_india, Sharad seems to have proved himself to be @indiaforward2 as well! He accidentally tweeted his denial of being @confident_india from the @indiaforward2 handle as well as his real handle, before tweeting the new tweets with his real handle. He deleted the tweets that went from both handles of course, but not before someone quick made a timely screenshot. So here we are.

 

Sharad tweeting as @indiaforward2

The denial from his main handle was read by many, but I don't have a screenshot of it... yet. However, he didn't delete it fast enough. Factordaily updated their reporting of the Sharad Sharma controversy with his denial

Sharad Sharma woke to tweetstorm in Atlanta
Sharad Sharma woke to tweetstorm in Atlanta just like @indiaforward2
Sharad tweeting as himself.
Sharad's denial of trolling from his real account
Sharad's denial of trolling from his real account

My immediate thought about it wasn't even so much that people in power use sneaky, unethical methods to get their way and undermine obstacles, but that the director of a company that is a collective of software developers and who were all defending Aadhaar on grounds of security and privacy were so ignorant about securing something as elementary as an anonymous account!

Once this expose was public, several people independently verified that they too had been able to authenticate access to the troll account with Sharad Sharma's personal number. For example:

 

Rohin Dharmakumar went a step ahead and showed how a mobile phone can't simply be attached to a Twitter account without actually verifying the number.

 

There are also a lot of people unaware of the developments in that country called Digital India who are aghast at what they are discovering. This is what you get for being gullible. Here. Educational. Video published from official iSPIRIT handle. Watch Pramod Varma, Sanjay Jain ex-UIDAI now "volunteer" at the ISpirt that "donates" to Govt and how this serves to avoid oversight by CAG, RTI.

In other words, what you have here is a bunch of private people who are creating products off big data collected from all citizens in a manner that allows them to evade accountability to the citizens for it. They also fund the government, push the expansion of Aadhaar in spite of extensive risks and violations of citizens rights being documented. In spite of the fact that Aadhaar effectively allows any infiltrator to become a "citizen" of the country by facilitating the creation of all documents that a citizen would have. And when the concerns raised get too alarming and there is no coherent defense of them possible, they make fake accounts to go around undermining dissenters so that the imposition of Aadhaar that puts citizens and country at risk may not be challenged.

If you do not speak up for your rights, they will be trampled on by profiteers out to exploit them at any cost.

3

While people question govts in a democracy, in India the govt questions anyone questioning unaccountable govt actions. And supporters think that while India was a democracy under UPA, under Modi it has become some kind of Hindu Empire and questioning the king means "off with their heads" sort of thing. For some reason, Ritesh Dwivedy confused private individuals, not elected to public positions nor employed by public funds, as those accountable to him for their personal views and actions. And then sulked and asked again when no one thought him important enough to consider seriously. Entertaining as it is, he clearly seems to be disoriented as to who his rights as a citizen entitle him to answers from, so trying to help him find his way in the muddle this alleged democracy is becoming.

Clarifying some problems he appears to be facing. All quotes from one or the other article linked above unless explicitly mentioned.

Aadhaar is a unique indigenous innovation that empowers every Indian by providing them with a secure and verifiable identity.

This statement is completely unsubstantiated and likely at the root of all the confusion. He has been informed a lot of glorious things about Aadhaar. They are not necessarily true. Verification is an important skill in today's times when the government routinely lies to people in order to get them to believe, like Ritesh Dwivedy, whatever they wish people to believe.

Aadhaar is going to be the backbone of India becoming a developed country, and is receiving global acclaim from entities like Bill Gates, The Economist, the World Bank, Raoul Pal, and others.

These guys? Why wouldn't foreign power cartels appreciate the tool that hands them power over India on a platter? Big data is big power and leaky big data is big control without accountability for opportunists. Who needs terrorists when you have hackers and crucial data of the entire country is in a form the government has little ability to secure? Is this government supposed to serve their interests or those of citizens? Of course the other two pillars of this servitude by this government are demonetisation and promotion of cashless transactions in a country they forgot to get fully on the internet first. That is how dumb this government is. If such a database were empowerment, why is it being forced on third world countries?

One whiff of WannaCry and RBI has all ATMs shut down. On the other hand, it is the country with all these people praising us (without US doing it themselves) created the ransomware originally. To get a better perspective, they have actually done an attack on a nuclear facility in Iran with Stuxnet. Our idea of security is "don't enter random numbers for Aadhaar or we will consider it hacking" - a freaking bank did a replay attack on the Aadhaar database while "testing" their setup and neither are replay attacks prevented after that, nor the known "violators" refused access to Aadhaar - we are fucking out of our league on competence. It is like praising a 5 year old for writing all his secrets in his "private" diary in its hiding place behind the park bench. Except the 5 year old is writing down the security codes for getting into their home. Oh wait Indian homes don't have security alarms and such. Oops sorry.

Think of it like this. If Aadhaar is this easy to misuse, it will be misused and it is being misused and so far people have just got away with it while those who exposed flaws got arrested.

How many more years do you want India to remain a ‘developing’ nation?

Forever. I hope India never stops developing. How many years do you want India to be a banana republic wannabe pleasing foreign powers at the cost of citizens?

Why are you silent on all the benefits we are seeing as a result of Aadhaar?

For the same reason I'd be silent if my 5 year old came home happily telling me about her new best friend. A grown man acting in a shady manner, whom she thinks is absolutely fantastic. There are problems that are visible to one with experience on the subject. Just because all my daughter knows about the nice man in the park is that he gives candy doesn't mean it is a good thing.

Waise, why are you silent on the countless problemswe are seeing as a result of Aadhaar?

Why are you misleading the Indian public about Aadhaar through fear-mongering and sensationalism?

Why are you misleading the Indian public about Aadhaar through false assurances and "bagon mein bahar hai"?

Why are you willing to give biometrics to foreign govts and corporations, but not to your own govt?

Because our government is proved to be incompetent with data security. There isn't a single other biometric database that can be queried for identity by any Tom, Dick and Harry - because it is an idiot idea to begin with, with too high error rates to be efficient at what it claims to do and too poor security to protect citizens from the risks such a database presents. Nor is anyone in this circus apparently interested or aware that citizens have rights in a democracy and you can't just say "Idea, let me make the whole country do whatever I wish AND foot the economic and security costs of my whims without question". BJP was right on Aadhaar when UPA was in power. Today BJP has sold the country out a hundred times more than UPA even planned (though no guarantees, it is the same creeps even now. Only the sarkari gullibles have changed) Incidentally, I haven't given my biometrics to foreign governments and corporations, and most Indians have not.  Also foreign governments and companies have limited use of my biometrics, unlike the Aadhaar, which is being forcibly attached to absolutely every important transaction a person can do from hospitalizations to bank accounts, property to crop insurance. Misuse or denial has the power to literally finish the ability of a person to access own funds, communicate, live in own home or even survive if medical needs. No foreign government has been stupid enough to enslave own or other citizens this badly. Yet.

Tell you what, you do some homework and hardwork and expose some of that data you are comparing Aadhaar to, then we will have some grounds for an actual comparison, yes? Good part is, those guys won't even arrest you, you'll actually earn bug bounties. So not even risky like fighting Aadhaar under a totalitarian state.

Why are you opposed to using technology to benefit the nation?

Next you will say any and all technology is benefit only. Like the govt spamming me daily is benefit to the country, etc. Technology isn't inherently good or bad. I am opposed to insecure technology being used to generate big data for power cartels at the cost of citizens. Benefiting the government and benefiting the nation are not necessarily the same thing. Just like dissent is a right and opposing the government is not anti-national. A government is a temporary entity that changes every five years. My nationality doesn't change every five years. Get your civics right and a lot of these government peddling issues will get sorted.

Why speak half-truths and ignore the lakhs of people who are getting benefits for the first time because of Aadhaar?

Next you will say babies are being conceived because of Aadhaar only. In a country this size, people are constantly becoming eligible for something or the other. It isn't because of Aadhaar. Aadhaar makes you eligible for zero benefits. It is simply the dog in the manger inserted by the government that PREVENTS otherwise eligible people from getting benefits because the government chooses to deprive them unless they surrender their privacy for it. Think about it. It is actually an imposed indignity. I will forcibly take your fingerprints if you want the pension you spent your entire career working towards. This is helplessness. Not benefit.

Cleaning up the PDS system - for example - requires cleaning up the PDS system. It doesn't take fingerprints to know whether someone is eligible for PDS. But authentication issues sure have deprived loads of people whom you are ignoring while pointing fingers in an increasingly crazed manner.

And this is me talking because you irritated enough people that they pesterd me to reply, but the information is from the government. Most people who got Aadhaar already had documents to provide proof of address and identity for it.

 

And so on. Not bothering to read or reply further. Because personal attacks are not arguments and this is plenty to entertain those who wanted to see you get a reply. Just because you make an assumption doesn't mean it is true. Nor are you relevant enough to the larger picture to take seriously.

Return with data, technical arguments, fact based information that isn't just "But why don't you ignore all the ghastly stuff and just meditate on all the pretty?" or consider this post the answer for anything you write on the subject till eternity.

2

Aadhaar makes pretty promises, but the reality of the implementation is very different and dangerous to citizen rights as well as personal freedoms.

Tighten the chokehold and kill dissent. When anonymity goes away, public debate is more silent. Too much democracy (sounds wierd, I know) and freedom is a bad thing for those in power.

What will be marketed:

  • Less tax evasion
  • Catch terrorists
  • Less leakage of subsidy
  • Easy transactions (finger lagaya, ho gaya!! OMG!!)

What really will happen:

  • constant monitoring
  • censorship
  • suppression of dissent. (It is trivial for me to map out who all attended a protest demo and where they live if you carried your mobile with you or are videographed. Realtime facial recognition works even with hoodies and balaclavas. Even easier for me to blackmail you. Doubly easy for me to plant your aadhar in places you haven't authorized. How will you know? You wont know why and who used it anyway, you get fucked for it.)
  • credit ratings by private firms using your data (the politico-industrial complex, the rich man's state, check out what China is doing with reputation score for citizens.)
  • targeted media articles and shaping of public opinion via media and places like FB (look up cambridge analytica and the trump campaign. Look at how easily Russia took over the USA.)
  • Mining of data based on your browsing patterns (JIO does this already. Data is the new oil. It is easy to model populations right down to the galli level based on this data: Above point/URL.)
  • fear based compliance
  • attacks like 1984 riots become easier
  • the state can make you disappear
  • random and warrantless data fishing expeditions by government agencies or by those with incidental access
  • stalking by government (this happens even in the US with so many controls in place. God only knows what will happen here)
  • With aadhar based basic data and punitive measures (exclusion from the state/deletion of identity) in place, forced compliance with things like genetic testing to determine vague things like "indian-ness" becomes a possibility (Check out the kuwaiti example)

What wont happen:

  • Fine grained control on our own data including the ability to deny and/or revoke permissions to third parties
  • Liability of the UIDAI for breaches
  • Aadhar enabled transparency in elections
  • Aadhar enabled Transparency in bureaucracy and decision making by politicians
  • Aadhar enabled transparency of political party funding
  • Accountability for power grabs or unilateral decision making schemes based off of aadhar. We have essentially written off our rights to the UIDAI on how our data will be used in the future.

Why is this happening? Our population is now at a very dangerous stage with lots of young people and no jobs or other avenues. It helps to have control or situations and revolt can happen way too easily. Our ruling classes dont have a clue of how to solve basic issues apart from lining their own pockets, protecting their kids & investments and divide&rule. Emotive issues are used as a cover every week on TV to subvert actual debate while serious legislations are being made. Our population is largely uneducated and easily swayed by glitz and silly TV shows (the reason why TV now is crap and has large numbers of religious shows and kulcha based shows). Educated urban youth dont connect well with actual desi TV programming anymore.

  • Does Aadhar require this level of biometric info? No.
  • Should we let go of the control we have of our identities? No.
  • Should third parties have access? No.

Essentially, your access to freedom will now need to be mediated by Aadhar and what it says. Anyone with power can fuck your happiness and freedom.

Republished with permission by budbuk on Reddit

2

Guest post by @St_Hill examines some problems in the use of Aadhaar where the use of the UIDAI authentication goes beyond what it was designed for and compromises the privacy or security or both of users. However, stopping use that compromises security would mean much reduced adoption of Aadhaar.

Most debates around UIDAI and Aadhaar focus on privacy concerns, security of the database and on the legality of making Aadhaar mandatory. Even if these three issues get sorted out, there are four other basic issues that need attention. In all these four issues, you will see the following common themes

  • It is very likely that UIDAI knows the existence of the issue
  • Entities other than UIDAI are using Aadhaar incorrectly and sometimes dangerously
  • UIDAI has framed policies protecting itself from implications of these wrong usages
  • UIDAI is unlikely to address these issues, because solving them may reduce the usage and acceptance of Aadhaar

Issue #1: UIDAI knows that Aadhaar is not an address proof, and that the industry uses it as an address proof, but will choose to remain silent about it.

Various entities allow Aadhaar to be used as both an identity proof as well as an address proof — banks for example use biometric eKYC to onboard new customers. But the reality is that UIDAI does not validate the address of every applicant. Though applicants are asked to provide an address proof for Aadhaar enrolment, it is optional — the enrolment process (and form) is designed to allow anyone to get an Aadhaar without any documents (mainly because Aadhaar is meant even for those sleep under the flyover).

aadhaar enrollment form
Aadhaar enrolment form screenshot. If you don’t have (or choose not to give) an address proof, you can choose Introducer or Head of Family based verification and get any address updated in Aadhaar. (Attestation by the introducer is all it takes)

UIDAI is aware of this flaw, which explains why the Aadhaar Bill has multiple mentions of Aadhaar being a proof of identity, but has NO mentions of it being a proof of address.

aadhaar not proof of address
Note the strategic absence of “proof of address” in the Aadhaar Bill

It would be appropriate of UIDAI to clarify to RBI and other authorities that Aadhaar is not a proof of address, but that would mean banks and telcos would no longer be interested in eKYC — imagine if banks are asked to collect a second document as address proof despite performing a biometric eKYC. Thus if UIDAI were to “fix” this issue, eKYC (Aadhaar’s core feature) will become useless and Aadhaar’s acceptance will be impacted.

Issue #2: Aadhaar is not a proof of citizenship, but it can be used to either apply for a passport, or obtain other identity documents which can then be used to apply for a passport.

The Aadhaar Bill Section III.9 states the following:

Screenshot from Aadhaar Bill Section III.9

But this hasn’t stopped the Passport office from listing Aadhaar as an acceptable document — they go even further to state that “Furnishing of Aadhaar card will expedite processing of passport applications”.

From the Passport Seva website

Even if Passport office were to stop accepting Aadhaar as a valid document, a non-Indian can apply for a bank account or water connection or electricity connection using an Aadhaar number, and then apply for a passport using the bank statement or utility bill as an acceptable document.

The only way for UIDAI to address this is to declare that Aadhaar cannot be used for passport applications, public utilities, bank accounts and any other services which may then be used to apply for a passport. But of course, this would limit the usage and acceptance of Aadhaar, reducing its relevance.

Issue #3: Possession of a physical Aadhaar card should not be considered as identification in airports, trains and other places.

UIDAI does not include holograms or physical signatures or any other security information in the Aadhaar cards that are sent to applicants — it is just a colour printout of your Aadhaar information. You can also download and print your Aadhaar (even in black and white) as your Aadhaar card — print multiple ones and each one will be considered “original”.

aadhaar black and white printouts are valid
Clarification from UIDAI that black and white printouts of Aadhaar info are as valid as the Aadhaar card sent to you or the plastic cards that someone laminated for you

This is because UIDAI does not consider possession of an Aadhaar card as authentication that it belongs to you. UIDAI instead asks entities to authenticate the Aadhaar number based on OTP or biometrics by connecting to the UIDAI system, prior to usage.

See last sentence in Aadhaar Bill Clause 4: Aadhaar can be used as proof of identity “subject to authentication”

But in reality, the ticket checker in trains, the security guard at the airport entrance and many other places consider a physical Aadhaar card as a valid identity document.

If UIDAI were to publicly clarify that the physical Aadhaar card is irrelevant and electronic authentication is required prior to being used, it would mean that the airport security guard or the train ticket inspector carries a biometric device with them for validation. This would slow down their entire process and they would instead insist that you provide an ID proof other than Aadhaar. So if UIDAI tried to fix this problem, it would mean reduced acceptance of Aadhaar in public life, again reducing its relevance.

Issue #4: Aadhaar numbers are probably meant to be secret to avoid misuse, but UIDAI does not stop organizations from putting Aadhaar information out in public.

Only a professional counterfeit artist can recreate passports or driving licenses — this is because there are security features like holograms in an original document. But this does not apply to Aadhaar — there is no concept of an “original” Aadhaar card (See Issue #3 above). A printout of Aadhaar information is being treated by various entities as a valid document, so it is easy for a fraudster (even an amateur) to print out your Aadhaar card if he knows your basic information like Aadhaar number and name), and start submitting in different places where the Govt asks us to.

UIDAI is aware of this issue, and hence Section 29 of the Aadhaar Bill states that entities which use your Aadhaar number should ensure the following:

Aadhaar numbers shall not be posted publicly by organizations collecting them

This basically puts the onus on 1000s of different organizations to ensure that they do not make your Aadhaar number public. Do a Google search for “Aadhaar number name filetype:xls” and prepare to be stunned at what is out there. Among those multiple excel sheets in the results, you will even find a Ministry website which has uploaded many excel sheets of 1000s of people’s information including name, DOB, address, and Aadhaar number.

websites have uploaded personal aadhaar information
Websites have uploaded excel sheets of people’s information including Aadhaar numbers
website has uploaded personal aadhaar information for 1360 people
One such excel sheet has all this information of 1360 people out there in public

Printing their Aadhaar cards will probably take a few minutes of effort for a fraudster with a computer and a black and white printer.

UIDAI can stop this by identifying such entities and stopping them from putting out Aadhaar numbers in public, but it is a mammoth monitoring effort. The other solution for UIDAI is same as the solution for Issue #3, which will again reduce Aadhaar’s relevance.


As is now evident, UIDAI is faced with two choices in each of these issues. They can either fix the issue running the risk of Aadhaar irrelevance in public life, or they can choose to stay silent running the risk that something may go wrong at a large scale in the future.