Skip to content

2

On August 24th 2017, WikiLeaks published secret documents from the ExpressLane project of the CIA pertaining to the cyber operations the OTS (Office of Technical Services), a branch within the CIA conducts against liaison services. The OTS provides a biometric collection system to liaison services around the world with the expectation for sharing of the biometric takes collected on the systems. Additionally, the CIA has developed ExpressLane - a covert information collection tool to secretly exfiltrate data collections from these systems without the knowledge of the vendors as well.

ExpressLane installs and runs covertly behind a benign splash screen indicating a software upgrade and is used when OTS agents perform on site upgrades on the biometric system. The installation raises no suspicions other than the minor notices which don't appear to be out of the ordinary for a software installation.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan. This company also provides biometrics collection systems for UIDAI's Aadhaar in India.

The response to these revelations in India has been astonishingly muted. A foreign government having access to confidential and highly accurate information on citizens of India amounts to an attack on India's sovereignty. The existence of Aadhaar itself now becomes a government sanctioned weapon against the country and citizens. The Aadhaar must be destroyed.

The few reports in media restrain themselves to very conservative reporting of the actual leaks without committing themselves to stating the implications for the country. This too is concerning, because it indicates an inadequate comprehension of how tech works in the media and renders the media toothless when it comes to providing public oversight on the highly insecure progression of the Digital India project.

On its part, the UIDAI has issued its standard voodoo denials. No explanations, no data, no alarm, no need for any investigations, nothing. Assurances that "all is well, don't worry" is all the UIDAI appears to have on any of the mounting concerns about the Aadhaar being illegally imposed on the citizens of India with blatant disregard to repeated orders of the Supreme Court. And of course, flat out lies - the hallmark of anything supported by the Modi government. Here are some claims debunked.

Aadhaar system has stringent security features to prevent any unauthorised transmission of data.

And here we thought UIDAI filed a case against Abhinav Srivastava, co-founder ofQarth Technologies Pvt. Ltd, who released an entire app that made unauthorized use of Aadhaar data e-kyc, then let him go, because he didn't have bad intentions. And oh, they complained about unauthorized access and then also claimed that no data was breached. We get it. There was no breach. He was using an authorized api without being authorized. No breach. Just reading news on the UIDAI is enough to give anyone who understands tech security high blood pressure.

No, Aadhaar most certainly doesn't have stringent security features to prevent unauthorized transmission of data. Aadhaar devices were not even encrypted till well after UIDAI started claiming 90% enrolment across the country (another dubious claim, for another day).

“Some vested interests are trying to spread misinformation that since ‘Cross Match’ is one of many devices which are being used in biometric devices by various registrars and agencies in Aadhaar ecosystem, the biometrics being captured for Aadhaar are allegedly unauthorisedly accessed by others.”

This is complete bullshit. The vast majority of people objecting to Aadhaar have nothing to gain from its failure (other than national and personal security). In contrast, the vast majority of people defending Aadhaar without any data, independent audit, robust explanations of technology and worse are invariably employed by UIDAI or its affiliates or have founded them (or, in a recent trend, are anonymous handles - I wonder who, other than Sharad Sharma could be behind those). Where is the misinformation in CIA being a spy agency, or it being known to engage in illegal and digital spying or it being known to subvert democratic governments in countries? Where is the "misinformation" in a leak of secret documents on a site that so far has never been questioned on the authenticity of leaked information it publishes?

Aadhaar biometric capture system has been “developed within our own country and it has adequate and robust security features to prevent any possibility of any such unauthorised capture and transmission of data regardless of any biometric device that may be used”.

This statement can be true, only if the UIDAI spokesman is a US national, because even the UIDAI website offers driver downloads for Cross Match and L-1 devices. The same Cross Match and L-1 that have apparently got biometric capture systems from the OTS branch of CIA on the understanding of data sharing. And the Express Lane is the data theft on top of that.

“In addition, there are many other rigorous security features and processes within UIDAI ensuring that no biometric data of any individual is unauthorized accessed by anyone in any manner whatsoever,”

This is a breathtaking lie, because the CONTRACT UIDAI had with L-1 Identity Solutions Operating Co Pvt Ltd, Morpho and Accenture Services Pvt Ltd, says that the company was given Aadhaar data access "as part of its job". This contract has also been reported and objected to in the past and on this blog as well in 10 big problems with the Aadhaar UID card project.

Golden rule in C-Sec is: If physical access is compromised, everything is gone. Wikileaks talks about physical access. It is about installing a backdoor on the source where biometric is acquired at the device driver level. Encryption argument is useless in that case. But encryption != Security.

(update: UIDAI has made some vodoo argument about how access is secured on UIDAI premises and what not. It is nonsense. Aadhaar data is collected out in the real world where the espionage would be happening. Whether UIDAI pickles the data or freezes in some on premises further access to foreign companies it makes no difference to that)

How much Aadhaar data and how much access do foreign BSPs have?

And this information is from an RTI filed by Col. Thomas, that the BSP (Biometric Service Provider) "may have access to personal data of the purchaser (UID), and/or a third party or any resident of India..." Further, Clause 3, which deals with privacy, says that the BSP could "collect, use, transfer, store and process the data".

Excerpt from UIDAI contract with Biometric Service providers
Excerpt from UIDAI contract with Biometric Service providers

In other words, the UIDAI has been deliberately undermining Indian security using Indian funds and flat out lying about its activities. The entire organization must be dismantled and its leaders investigated.

3

The government of India doesn't seem to be interested in getting security vulnerabilities fixed. A CS engineer, Bhavyanshu Parasher, has been spending his time understanding the current security standards deployed by the government of India in most of its data-critical apps and websites. Last year, in September, he disclosed a security flaw in Prime Minster Narendra Modi's web API that exposed user identifiable information like e-mail addresses and also that there was no proper authentication check for API endpoints. During that disclosure, he faced challenges because it was difficult for him to get in touch with concerned authorities. He mentioned on his blog that e-mail address mentioned on Google's Play Store were not working. We had to contact @buzzindelhi (the handle used by BJP's Arvind Gupta on Twitter) to help him get in touch with the concerned authorities.

"The e-mail address provided on Google's Play Store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via Twitter."

Now, the same thing is happening again. He wants to disclose vulnerabilities in two major applications deployed by the Government of India but he is struggling to get in touch with the concerned authorities. He has published a post on his blog about it though he has not mentioned the specifics of the vulnerabilities yet, as he is hoping the government will patch them before he discloses them. However, this may be rendered moot, as our searches showed that at least one of the vulnerabilities has already been publicly disclosed, but not by Bhavyanshu. That security flaw is in an unpatched version of server software and there is a CVE assigned to it. Fix has been rolled out but developers are not aware of any of this. But then why wouldn't it be so? UIDAI website still uses SSLv2 and SHA1 encoding in a world where SSLv2 has been phased out for over a decade now, and even free SSL certificates like the one used on this site come with SHA2 encoding because SHA1 isn't considered secure. You can go to the UIDAI website and check this for yourself in your browser details for the SSL certificate.

UIDAI ssl fail
UIDAI SSL fail

Bhavyanshu sent emails on March 24 and then again on April 4, but he hasn't received any response. This time @buzzindelhi isn't showing much enthusiasm in getting the vulnerabilities fixed either. In response he just directed him to the public Twitter handle of Akhilesh Mishra (Director, myGov). Hardly an acceptable process for initiating discussion about security breaches!

https://twitter.com/buzzindelhi/status/714658965703958528

One would expect Mr. Mishra to contact Bhavyanshu immediately, but the truth is that even he isn't interested.There is, as yet, no reply from him.

It is cases like these which make the whole concept of Digital India look ugly. There are no dedicated e-mail addresses for security response teams. Official e-mail addresses don't work and the apps are poor on security. It is a goldmine for unethical hackers and a complete deterrent for ethical hackers who would like to help the government fix security leaks. There is no way for the researchers to get in touch with the concerned authorities. A concept like Digital India, without guaranteed user data security and user privacy, should not be promoted by the Government of India as it puts many people at risk.

Considering the complete lack of interest in securing the vulnerabilities, we cannot provide too many details. However, people looking to exploit government data would already have found these and would be using them by now. This isn't exactly rocket science. What data is vulnerable? Let us just say that I have seen e-mail addresses, Aadhaar numbers (where provided) and street addresses and can confidently say that a malicious hacker could write a script that replicates the data for all profiles. And before you think that such things are not done, just today, Madhu Menon posted a link to the hacked and leaked Turkish citizenship database.

A similar database of MyGov.in users could prove devastating to BJP, given that their supporters are disproportionately more likely to have signed up. And while Bhavyanshu stresses that he would not do it, it isn't outside the realm of belief that more malicious hackers not just could, but definitely would. And there seems to be no way to prevent this short of raising a public stink, because a government that claims to be interested in a Digital India does not seem to have the foggiest on digital security and the need to have developer teams rapidly rolling out fixes in the event vulnerabilities are found.

"Seems like the government doesn't have dedicated security team for projects that need immediate attention to security flaws. Instead, people who wish to disclose vulnerabilities have to rely on Twitter handles to get in touch with them. I am doing a lot of volunteer work like this because I like the concept of Digital India but I don't want it without data security and privacy. I have written a web app that will help eliminate this communication gap between researchers and authorities but whom to contact? Who are the concerned authorities after all? Don't give me another Twitter handle!" , Bhavyanshu told me when asked about the current status of vulnerability disclosure. He also pointed us to privacy policy of MyGov and why people should push government for better data security.

The page for MyGov.in on HackerOne - a bug bounty program by security leaders of top internet companies like Facebook, Microsoft and Google (that rewards hackers for finding and reporting vulnerabilities so that they can be fixed) says it all "There are no known guidelines for reporting potential security vulnerabilities to this organization." Even the fact that the app has no known process for reporting vulnerabilities is an immediate flag. It tells hackers that there is no one keeping an eye on it or worried about security. The most beginning programmer puts a working address on Google Play for contacting the developer. Yet, the official application of the largest democracy in the world fails to do it.

Contrast this with the Hack The Pentagon challenge that is actively rewarding hackers to break in and expose security vulnerabilities so that they can be fixed. This is the country where, a few days ago, our Prime Minister gave a speech at the nuclear summit on April Fool's Day explaining the need to fight terrorists using 21st century technology with modern technology.

Yet, his government seems supremely unconcerned about unauthorized access to confidential information. As the UK just saw, in a country that uses technology extensively, a security breach can be used as an attack vector, when hackers hack into the water supply and change the composition of chemicals put into the tap water. A more famous example to recall could be the Stuxnet worm that damaged Iran's nuclear facilities. Yep. Code resulting in real time damage to equipment. We have, in the past seen that banks too can be hacked. We have seen that election equipment can be rigged. What will it take for us to wake up before our money, our vote, our voice and even our physical location is compromised?

It is completely insane to push for a Digital India and inaugurate three websites a month without having the requisite push to secure the data that will now be vulnerable to theft, or facilities to access. If Digital India must be, then it must be preceded by a culture of taking technology seriously or the whole country will inevitably suffer.

MyGov privacy policy claims to protect user identifiable information. Below are the excerpts from their policy page.

1. "MyGov do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided on MyGov will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction. MyGov gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. MyGov make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage MyGov has been detected."
(https://mygov.in/simple-page/terms-conditions/)

2. "Please note that MyGov do not share any personally identifiable information volunteered on this site with any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access, disclosure, alteration, or destruction."
(https://mygov.in/mygov-faq/)

Turns out that like many other things, this privacy policy is a jumla as well.

Bhavyanshu Parasher, a young computer science engineer took a look at Prime Minister Narendra Modi’s Android application (among popular apps he studied for his own research purposes). The Narendra Modi app had 500,000+ downloads at that time. He found a major security flaw in how the app accesses the “api.narendramodi.in/api” API.

At the time of disclosure, API was being served over “HTTP” as well as "HTTPS". "HTTP" was being served on older versions of the app. So people who were still using older version of the app were exposed to additional vulnerability. Data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted by MiTM attacks. Another bigger problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address) for any user and posting comments as any registered user of the app.

The magnitude of the seriousness of the loophole can be understood with the following exploit. The vulnerabilities have been fixed.

Exploit demo

Bhavyanshu wrote an exploit to demonstrate how easy it was to extract email addresses using the security flaw.

"The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user." - Original Vulnerability Disclosure.

See, for instance, here is the sample output for xrange(1,10).

Exploit Result
Extracted email addresses of first 10 users

Also, he was able to post comment as any user. For example,

Comment Exploit
Comment sent as user 4234
After this security flaw was exposed, Bhavyanshu and I made considerable efforts to draw attention of the Prime Minister's development team for improving the security, but it would be another three days before the API would stop leaking the information to whoever wished to use the security loophole. It is difficult to say who and how many people have already had access to the user data for all the users of the Narendra Modi app. "Why it took them so long to connect me with developers directly? This issue could have been resolved earlier. The email address provided on play store does not work. Government should find a way to create a direct communication channel between those who report flaws and the developers. They should adopt CVRF.", Bhavyanshu said.

What are the implications for Digital India?

At a time when Indian developers are stunned by the emergence of Ankit Fadia (mostly known as a self publicized, copy-paste plagiarist at-best-mediocre script kiddie), while concerns for data security are paramount, for the Prime Minister's app to leak user information amounts to any malicious entity having a ready list of every social media savvy mobile user supporter of the Prime Minister and ruling party among other citizens. What such information could be used for is anyone's guess.

With the Prime Minister releasing a site a month on an average, the complete lack of interest in securing the application from unauthorized use is alarming. What kind of information crucial to the country could be leaked to the unscrupulous with such a casual approach to securing the information that the government seems bent on putting online if the security for such a key app with 5-6 lakh users was so careless designed.

What happens if a hacker publishes problematic information as another user?

Digital India cannot succeed if it merely courts the big business of the internet without actually having the competence to secure its own data. That would be like riding a race horse without saddle, stirrups or even knowing how to ride. Sooner or later, the horse goes rogue and you have no way to save yourself, let alone control it.

1

As I write this post, Indian Digital rights activists are watching in horror as "ethical hacker" Ankit Fadia has been declared the brand ambassador of Digital India. As Twitter goes nuts trying to show how big a "blunder" this is, perhaps it is time to realize that it is not a blunder. It is a deliberate stupidification of India with deliberate installations of mirrors of Modi's will rather than independent intellectuals.

Deliberate incompetence is the hallmark of appointments by Modi sarkar and they happen too often to be considered mistakes. From Smriti Irani, who faked her own education credentials handling National Education to Ankit Fadia, a self proclaimed ethical hacker no professional respects is only the tip of the iceberg that had started showing up right from Modi's election campaign.

Kirron Kher, contesting from Chandigarh in the Lok Sabha Elections had candidly admitted in an interview to the Indian Express, "I am not a politician. I do not see myself as politician. I see myself as somebody who is working for my city and fought (elections) to get one more seat to (Narendra) Modi ji. That is how see myself. I did not ask for the ticket. It was given to me and now I am here." Contesting against a 4 time MP Pawan Bansal of the Congress and Gul Panag of the Aam Aadmi Party, the candidature of Kirron Kher had been met with black flags by BJP workers themselves in Chandigarh. She won.

From Modi's holograms being projected nationwide to sidelining of senior leaders, Modi is clearly a man not interested in the contributions of others, even as he accepts their necessity. The Supreme Court rapped the Women and Child Ministry for the delay in filling vacancies in the National Commission for the Protection of Child Rights, but the reason turned out to be the PMO not clearing their appointments.

But if we see the appointments being made, there is little reason for cheer. Amartya Sen resigned in protest citing unprecedented interference in academics from the government. I do not see him as a leftist, but I am aware the supporters of the present government do. Yet we now have students of the FTII protesting as well. Surely the case cannot be that Modi lacks supporters among excellent actors that he settled for Gajendra Chauhan to avoid dealing with a "secular" (as his current whine in foreign countries goes)?

In a scathing piece on the rise of "anti-intellectualism" under the present government, Rishi Majumder identifies the common thread behind persistent absurd appointments as "The lack of a strong, distinct, individual vision for what they want to achieve with their charges." even as they are good managers. I see it as the appointees being conduits for a vision dictated from sources out of public scrutiny. Mirrors, mirrors everywhere, readily reflecting someone's will.

But there is more. It is a deliberate flaunting of unchecked stupidification in an obscene carnage of an intellectual India. The word "intellectual" itself has been turned into a slur by the supporters of this regime. The message is clear. "We do not want your fancy theories. We want the freedom to define scholarship however we wish." The trend is far reaching and flaunted at the most trivial of opportunities. Of all the journalists in the world, Modi chose Fareed Zakaria to give his first interview. Till then, Farid Zakaria's biggest attention puller was when his articles got pulled down for plagiarism.

Smriti Irani got rewarded for her loyalty and robust defense of Modi.  Fine. But it is not just that. What she was entrusted with was something she had been discredited for. It is not about less qualified politicians. Faking qualifications on an election affidavit is an act that declares that her qualifications felt inadequate to her own eyes. She could have been rewarded in many other ways, but she now she handles the nation's education. Something she has been established as inadequate about.

It is not merely loyalty. Modi's supporters include several senior journalists as well, but would someone like say, Kanchan Gupta accept being told what he could ask and what he couldn't? In addition to showing critics that they cannot stop him, no matter what he does, Modi's choices of people are also a statement of what behavior among supporters will get rewarded. Modi does not want independent thinking even among his supporters. Kanchan Gupta and Subramanian Swamy - two of the most independent thinking right wing thinkers are conspicuously free of responsibility, even as jokes circulate about Advani in the margadarshak mandal. The three countries Ajit Doval (who had been caught with Chota Rajan'sgangster) took an interest in, bombed in terms of foreign policy. As we speak, freaking "Hindu" Nepal has people outraging against India. It does not seem to matter to anyone. Baba Ramdev is selling churans to cure dengue and collaborating with the Defense Research and Development Organization - toward what purpose is anyone's guess.

Modi himself seems to take absurd speech to greater heights when he talks of Ganesha's head being an evidence of plastic surgery being practiced in ancient India. Not even transplants, mind you. Plastic surgery. While speaking of a super elite hospital helping improve healthcare for the masses in India, like the 32-rupees people would be lining up to pay over a thousand rupees to even be seen as an outpatient in this miracle hospital. Let there be no doubt that not even an effort to sound rational was made.

At a time when Modi has the biggest organized support among all public figures on the internet, at a time when he launches an average of two websites a month, at a time when a large part of his election victory was due to towering ethical and unethical efforts online, it is absurd to imagine that he does not have anyone to be a better brand ambassador for Digital India than Ankit Fadia - who is not respected by anyone other than abject ignorant newbies to coding. As far as appointing for incompetence goes, Ankit Fadia would rank as his second most spectacular appointment (the first being Smriti Irani, of course), because for anyone who has even passable knowledge of the subjects Ankit Fadia writes about, his name has become synonymous with plagiarism. A superstar script kiddie with dubious claims to fame. But he has the one thing Rishi Majumder had identified as a prerequisite. There is no evidence of Ankit Fadia even wanting to learn as long as he can sell his books and meaningless certificates.

Modi sarkar does not care that it reflects idolizing of incompetence on issues crucial to the nation. It does not need to care about public opinion for another 3.5 years. In a world where policies useful to cronies must be pushed unhindered, intelligent people slow things down with their questions. Even when they support. Unthinking and efficient people doing as told is what makes selling the country out from under people's feet possible. Meticulously following the government's stand, and unperturbed, supporting the government's opposite stand as well, when criticism forces a U-Turn.

 

The message to supporters is even clearer than it is to critics. I want your support, not your brain. If you want your reward, this is your key.

 

Nagrik Chetna Manch (NCM) filed a Contempt Petition (21656 of 2015) on 6th July 2015 initiating proceedings for committing civil contempt of the Hon’ble by violating it’s interim orders dated 23.09.2013 and 16.03.2015 in Writ Petition (Civil) 494 of 2012 and dated 24.02.2014 in Special Leave Petition (Criminal) 2524 of 2014. The contemnors are (1) Pradeep Kumar Sinha, Cabinet Secretary, Union of , (2) Swadheen S Kshatriya, Chief Secretary , (3) Raghuram Rajan, Governor, Reserve Bank of India (4) Nasim Zaidi, Chief Election Commissioner, of India.

NCM noticed that there was a spurt of directives in the last few months by both the Central and State governments violating the orders of the Supreme Court by mandating linkages of benefits to the possession of Aadhaar number. We give below a few examples for the basis of the Contempt Petition.

The Department of Electronics and Communication Technology integrated Aadhaar to draw benefits in the newly launched Digital India Program. The Ministry of Labour and Employment made Aadhaar card compulsory for ESI services. The Ministry of New and Renewable Energy made Aadhaar mandatory for receiving capital subsidy. The Ministry of Rural Development made Aadhaar compulsory for MNREGA services.

The Govt. of made Aadhaar compulsory for ration services at Fair Price Shops and for school admissions and the Election Commission of India issued instructions for linking Aadhaar card with Elector’s Photo Identity Card.

In it’s interim order dated 23.09.2013 passed in WP (C) 494 of 2012, the Supreme Court had directed, “in the meanwhile no person should suffer for not getting the Aadhaar number and when any person applies to get the Aadhaar number voluntarily, it may be checked whether the person is entitled for it under law as it should not be given to any illegal immigrant.” In its order dated 24/03/2014 in SLP 2524/2014 filed by the Unique Identification Authority of India against the Central Bureau of Investigation and others, the Supreme Court had restrained the UIDAI from transferring any biometric information of any person to any other agency without a written consent.

Nagrik Chetna Manch has prayed for prohibition of linkage of Aadhaar number to any benefits, to end the discrimination of persons into Aadhaar and non-Aadhaar residents and restrain the from transferring any biometric information of any person from or to any other agency without specific written permission.

NCM’s Contempt Petition 21656 of 2015 in the Supreme Court

On 6th July 2015, Nagrik Chetna Manch (NCM) filed Contempt Petition bearing no. 21656 / 2015 under Art 129 & 142 of the Constitution of India read with section 12 of the Contempt of Courts Act 1971 for initiating contempt proceedings against the Contemnors for committing Civil Contempt of Hon’ble Supreme Court whereby violating it’s interim orders dated 23.09.2013 and 16.03.2015 passed in WP (C) no. 494 of 2012. As well as order dated 24.02.2014 passed by Hon’ble Supreme Court in SLP (Crl) no. 2524 of 2014. Contemnors being (1) Pradeep Kumar Sinha, Cabinet Secretary, Union of India, (2) Swadheen S Kshatriya, Chief Secretary Government of Maharashtra, (3) Raghuram Rajan, Governor, Reserve Bank of India (4) Nasim Zaidi, Chief Election Commissioner, Election Commission of India.

Earlier NCM had filed WP no. 932 of 2013 in public interest against the use of the UID number by RBI, ECI, RGI and GoI on the grounds mentioned in the WP in which notice had been issued on 19.11.2013 by the Hon’ble Supreme Court and the same was tagged with aforesaid WP (C) 494 of 2012.

In it’s interim order dated 23.09.2013 passed in WP (C) no. 494 of 2012, the Hon’ble Supreme Court while feeling importance of this matter, listed it for final hearing. And also directed that in the meanwhile no person should suffer for not getting the Aadhaar number and when any person applies to get the Aadhaar number voluntarily, it may be checked whether the person is entitled for it under law as it should not be given to any illegal immigrant.

In an order dated 24/03/2014 in another matter Special Leave to Appeal (Crl) No.2524/2014 filed by the Unique Identification Authority of India (UIDAI) against the Central Bureau of Investigation () and others, the Supreme Court had restrained the UIDAI from transferring any biometric information of any person who has been allotted the Aadhaar number to any other agency without his consent in writing. The order further stated that no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled. All the authorities were directed to modify their forms/circulars/likes so as to not compulsorily require the Aadhaar number in order to meet the requirement of the interim order passed by the Hon’ble Supreme Court.

Despite these orders neither the nor States and their functionaries have been complying the orders of the Supreme Court in letter and spirit. They have continued to cause suffering by continuously mandating more and more for registration and linkages to the Aadhaar. The NCM quotes a few examples of the violations by the contemnors in the Petition.

The Department of Electronics and Communication Technology, for example, launched the Digital India Program on 1st July 2015. This program integrates Aadhaar as a mandatory feature to draw any benefits. The Ministry of Labour and Employment, Govt. of India issued advertisement in for making Aadhaar card compulsory for ESI services. The Ministry of New and Renewable Energy, Govt. of India issued notice No. 5/34/2013-14/RT dated 01.01.2015 for making Aadhaar card compulsory for receiving capital subsidy. The Ministry of Rural Development, Govt. of India issued letter dated 18.02.2015 and again on 25.02.2015 for making Aadhaar card compulsory for MNREGA services. The Minister of Rural Development, Govt. of India answered a unstarred question on 05.03.2015 whether the Union Government proposes to link accounts opened under Pradhan Mantri Jan Dhan Yojana with Aadhaar number to transfer subsidy and wages under MGNREGS directly indicating that “The States have been asked to take active measures to link the bank accounts of the workers with their Aadhaar numbers. In order to make use of the benefits under the PMJDY, all States have been requested to undertake an immediate drive to open Pradhan Mantri Jan Dhan Yojana (PMJDY) accounts for all the active wage seekers who already do not have a Bank/ Post Office account in the nearest commercial Bank/ Post Offices. Wherever accounts have been freshly opened by MGNREGA workers under the PMJDY, such accounts are being linked with Aadhaar number of the beneficiaries.”

The Govt. of Maharashtra issued Cabinet Resolution dated 03.03.2015 for making Aadhaar card compulsory for ration services at Fair Price Shops. The Resolution also requires the transfer of biometric information to the Govt. of Maharashtra despite there being no consent in writing of the persons whose biometric it may be. The Govt. of Maharashtra issued GR dated 21.04.2015 for making Aadhaar card compulsory for school admissions.

The Reserve Bank of India issued letter dated 26.11.2013 for making Aadhaar card readers compulsory for all new infrastructure services.

The Election Commission of India issued letter dated 27.02.2015 for linking Aadhaar card with EPIC. This process of seeding is meaningless without discriminating, and thus causing to suffer, those without an Aadhaar.

In the meanwhile as the common man continues to suffer the Aadhaar, NCM has alleged in its Petition 932 of 2013, that the linkage of Aadhaar to various databases is destroying governance and ability to govern. NCM has also highlighted that it will end the rule of law and perhaps even compromise the sovereignty of India. Such linkage of bank accounts to Aadhaar is facilitating money laundering. Linkage of Aadhaar to the EPIC and NPR is destroying the ability to distinguish citizens from residents and giving citizenship to illegal immigrants as well as anti-nationals.

NCM in the CP filed, prays for prohibition of operations related to Aadhaar number by Contemnors forthwith and until final disposal of WP (C) no.494 of 2012, require contemnors to end suffering caused by discrimination of persons into Aadhaar and non-Aadhaar residents through the continued usage or seeding of Aadhaar by any agency and restrain the contemnors from transferring any biometric information of any person who has been allotted the Aadhaar number from or to any other agency.

Qaneez Sukhrani

Secretary, Nagrik Chetna Manch

Telephone: +919822056782