I wrote this piece as a rant on Quora in response to a question: Ashwin Hariharan’s answer to What is Wrong with India
Right now? As of December 2017, it’s this poor implementation of a technology that’s making the lives of Indian citizens miserable.
Touted by UIDAI and the Modi government as a ground-breaking solution for all your problems. Well, they are partially right. It’s only ground-breaking, as in - literally breaking the ground over which every other good thing stands on. Solution? Nope!
Why, you ask? Well, let’s see -
It’s a 12 digit unique-idenity number, which the Indian Government intends to issue to every citizen. Think of it as your national ID. It’s also the world’s largest biometric ID system - over 99% of Indians above 18 have already enrolled for Aadhaar.
A plethora of data, starting from your name, birthdate, address, biometric details like finger-prints and retina scans.
It’s supposed to vastly improve the speed and delivery of services to Indian citizens - ranging from financial transactions, government services, medicine, education, telecom, internet, preventing money laundering and fraud, terrorism…the list is huge. Notice I said supposed to.
For this, you gotta link your Aadhaar card to every damn thing under the Sun - starting from mobile operators, bank accounts, health records, college admissions, pension schemes, mutual funds, and so forth.
Allright, now that you know what it is, let’s address the elephant in the room.
Did you notice the “supposed to be” part earlier? Here are some of the numerous goof-ups that’s happened over time:
This is by no means an exhaustive list. There are so many instances where people have been denied essential services because their Aadhaar had faulty data.
Take for example, the Aadhaar enrollments until Jan 2017. Out of 15 Crore Enrollments, over 6 crore enrollments had duplicate biometrics.
Entire families dying of starvation because they didn’t have Aadhaar and were denied food rations.
Everyone - from telecoms to banks to even pension schemes - are threatening to disrupt their services if you don’t link your Aadhaar card.
Yes, arm-twist the fuck out of me to link my Aadhaar to LIC or else threaten to freeze the policy. And when I do it, you make me click on a disclaimer that says I VOLUNTARILY give my consent.— MJ (@jay4nth) December 6, 2017
NO, I DO NOT VOLUNTARILY GIVE MY CONSENT YOU FUCKING GOONDA AADHAR MAFIA! pic.twitter.com/D3rO3lu64X
Strong-arming you into giving your Aadhaar and biometric information, threatening to freeze your services, and then making you click a disclaimer saying that you “voluntarily give your consent”, is not consent.
It’s like someone holding a gun to your forehead, and making you sign a document that says that you willingly handed over your wallet!
No. First of all,
It’s fault to assume that bio-metric information is tamper-proof. It isn’t. It can be easily compromised.
Finger-prints and iris information can be easily copied using a good smartphone. Moreover, if someone decides to use a fake fingerprint authentication machine, how would you even know? What about those who are technologically illiterate?
Sure, debit cards and driving licenses can be tampered with, too. But they can be replaced. You fingerprints however, cannot.
Fingerprints also can get worn out, they could even change as the years go by, or if you’re into labor work. Read about how many workers in Telengana were denied employment benefits because their Aadhaar couldn’t be authenticated.
There has been numerous data breaches over the past 1 year. Millions of Indian citizens personal information have been compromised and put at risk.
Earlier this year:
You thought when I said by frauds happening, I meant individual criminals are doing it? Think again. The latest fraud was not done by one individual, it was done by an entire freaking telecom company.
Been screaming hoarse about how Aadhaar can be used as a tool for fraud. I was assuming that individuals with criminal intent would be misusing it.— meghnad 🔗 (@Memeghnad) December 20, 2017
BUT something WAY bigger happened.
Due to Aadhaar's shit design, a whole telecom company did fraud!https://t.co/hbcaDOhhd0
Lakhs of people had their LPG subsidies credited to accounts they didn’t even open or knew even existed!
Aadhaar isn’t anything like Social Security Number. Does SSN rely on biometric authentication for providing services? No! What do you think happens in USA if someone’s SSN fails to authenticate?
No, because you’re creating a Single Point of Failure. When you keep adding more and more services to a single National ID, you’re putting everything at risk, it becomes a central point of attack. All that someone needs to do to introduce chaos, is to attack that single point. Everything else would collapse.
Have you wondered why if your passport gets stolen, it doesn’t affect your bank account? That’s because one doesn’t necessarily rely on the other. You have options to use alternate IDs. Does the theft of your driving license affect your mobile phone usage? No, because again - they don’t necessarily have to be connected to each other.
Now think, what would happen if these unrelated services were inextricably linked?
When the entire world is trying to move towards decentralized systems, like cloud services, blockchain, even AI - why would you want to compromise personal and private information by storing them all under one single repository?
Does Facebook or Google threaten to disrupt / de-activate all their services if you don’t give them your Aadhaar information, unlike Bank accounts or telecom operators? Do they coerce you into sharing critical bio-metric information? No! Moreover,
Facebook, Google and Twitter are luxuries, not essential services. You can opt out of them at any time.
Is having a Facebook, Google or Twitter account essential in living a normal life? We are talking about essential services - like education, finance, health services and telecoms. When your very life/livelihood depends on them, it becomes all the more important that tampering with one doesn’t mess with the entire fucking system.
As of now, Aadhaar is the only platform in the world with over a billion of users, with no formal bug reporting policy. You have to rely on Twitter and other means to report issues. Do you think that the vast majority of Indians use Twitter to voice their grievances?
What did UIDAI actually do to make the system better, apart from claiming every single time that the data breaches were not their fault? They attempt to fix things only after the damage is already done, until then they don’t pay heed.
People have been arrested for pointing out loopholes in Aadhaar - Article says Aadhaar can be hacked, FIR against writer
India neither has strong data security laws, nor is it any clear as to who is accountable in case anything goes wrong. Its become an excuse for officials to put the blame on technology, to divert attention from their own incompetency.
Let me ask you something. Imagine there’s a builder, who has government support and is coercing you to put all your belongings in the home he has built for you. He claims it’s the most secure system there is, because it has a lock and key.
But your house keys are left out in the open. Duplicates made, all given to 3rd parties. You’re screaming hoarsely, asking him not to do that, but he doesn’t give a shit. Why? Because the house has a lock and key, so it’s secure, yay! What’s worse? Many people do get gullible and believe that their belongings are safe, just because there’s a lock and key.
You discover a secret trap-door through which people can enter your home without keys. You start noticing things disappearing from your home. And you’re pleading with the builder and government to fix the existing loop-holes. All fall on deaf ears.
A key can’t protect you if it falls into wrong hands. If you’re using a key, the onus lies on you to make sure that you don’t keep handing it out to people like candy.
Tomorrow, your home gets ransacked. Are you still gonna say - “Oh, but it’s not the builder’s fault, it’s the fault of those criminals!"? Who takes the blame? Who is to be held accountable if that happens?
The question that you should be asking is - “How was this allowed to happen in the first place?"
Funny thing - Hundreds of Rohingya Muslims have been caught possessing Aadhaar cards. And these illegal immigrants weren’t caught BECAUSE of Aadhaar. Co-relation does not equal causation. They were first caught, AND THEN were found to have Aadhaar cards.
Getting Aadhaar card is child’s play - all you need is to live in the country for 182 days.
Don’t blindly believe in technology. Question its purpose. If you’re a software engineer, you know how important testing edge-cases are before you deploy something.
Technology is not going to achieve miracles on its own. Blind faith in it is just superstition. Problems get solved only if you really want to solve them in the first place.
Until Aadhaar’s existing loopholes are fixed and its implementation made robust, it should not be made mandatory. Else it’ll continue to be a danger to your fundamental rights to privacy. Unless strong and formal data security laws are in place, it has the potential to be used as a tool for surveillance, and criminal elements to misuse it.
Aadhaar linking has been postponed to 31st March. That means we still have time to prevent its forceful linking to everything.
Over 30,000 emails have been sent so far using this website. You can check the latest statistics here.
Speak to your friends and family and ask them to raise their concerns as well.
Thank you for reading.
If you’re curious, spend some time to Google - you’ll un-earth several more of these issues. I can’t possibly list all of them here - the answer has already become too big.
I’ve discussed about 6 questions that had come up during discussions above. Some more questions were raised on the original post on Quora:
Until cars atleast are manufactured with doors and safety-belts, proper traffic laws and rules are in place, roads are made safer - it shouldn’t be made mandatory for you to drive a vehicle.
Really, after reading all that? Sure, I’ll indulge you. Sure, nothing is secure. Even Google or Facebook doesn’t claim to be 100% secure. But at-least some yardstick of safety need to be achieved first. No car manufacturer claims that their car is 100% safe and can survive any accident, but at-least a car should have doors and a seat-belt in place. Have some benchmarks for God’s sake.
First you manufacture a car without doors or seat-belts, make it compulsory to use, and then go around claiming that it is secure/safe? And when shit goes down, you claim that no other car is 100% secure either?! That’s not a very logical argument.
The problem isn’t with having someone’s data. The concern lies in what you do with the data, how securely you keep it, and whether you inform people what’s being done with the data.
Google isn’t using your finger-prints and IDs to create bank-accounts and reroute money without your consent. Google did not have such a shoddy security that it allowed your data to get leaked over 200 websites. If something goes wrong, Google will be held accountable and will face class-action lawsuits.
And storing bank information IS A CHOICE. I have not given my Bank account details to Google till now. What happened, did Google threaten to discontinue their service?
As I mentioned earlier, using Google isn’t mandatory. You can still survive and live a life if you choose not to use Google.
Not really. Wanna know what happened after the latest Airtel fiasco?
The latest news is that LPG subsidies can continue to exist and be deposited** in Airtel Payments Bank accounts!
Apart from temporarily suspending Airtel’s e-KYC license, UIDAI has put a fine of Rs. 2.3 Crore on the company. Which seemed good at the time, but few days later it again reinstated Airtel’s eKYC license! And earlier individuals have been arrested and trolled for pointing out flaws. No formal bug reporting policy either.
UIDAI tries hard to shirk responsibility unless noise is made.
Look at their response on Twitter, which says that it’s the customers job to ask the status of their money.
If it is indeed trying to change things, its because people have been criticizing it and now it’s being forced to. **Why wait for shit to go down before you start to finally realize your mistakes? Why allow things to escalate to this level?
Prevention is surely better than cure, don’t you agree?