----BEGIN CLASS---- [13:24] #startclass [13:24] Hello! [13:24] Hello everyone. [13:24] Welcome to dgplug. [13:24] Today we will discuss about something called Aadhaar. [13:24] A few things before we start. [13:24] Hey hi kushal Happy new year! [13:25] If anyone has any question, please type ! and wait for batul. batul will tell you when it is time to ask your question. [13:25] .clearqueue [13:25] kushal: Error: "clearqueue" is not a valid command. [13:25] oops [13:25] clear [13:25] anyway [13:25] For example, someone type ! [13:25] ! [13:25] next [13:25] ! [13:25] next [13:25] When batul said you can ask, you should ask. [13:26] Also please type in full English words, will help everyone in future. [13:26] jace, Do you want to start describing what is Aadhaar? [13:26] Btw, also remember we have people from outside India, so may be many things will be new to them, so explain as required. [13:26] add: jace [13:27] jace, You can type next to get the next question from now on. [13:27] jace, If you can identify the rest of the session folks, we can add them too as master. [13:29] What "Aadhaar" is depends on why you care for it. Just as "history" is whatever is written by the survivors, there are multiple definitions of Aadhaar depending on who pursued what idea of it. [13:29] So let's start with the most common definition: Aadhaar is an attempt to give every resident of India an identity that they can use to transact with any entity that needs an identity. [13:30] The unique feature of Aadhaar is that everyone gets one and only one identity, and it's a random number devoid of any meaning. [13:31] This "unique" bit is a controversial choice that is both the biggest strength and weakness in Aadhaar, depending on whom if affects. [13:32] Any identity system in practice has two parties: the party that is being identified, and the party that wants to identify the other. [13:33] To make this easier to understand, let's use the terms "individual" and "service provider" for these first and second parties. [13:36] Let's say you're ordering food on Swiggy (or Zomato or Food Panda or whatever you prefer). When you place the order, you have to login to your account using a login id. This "id" is usually an email address or a phone number, and it's used by the service provider to (a) not mix up your orders with someone else's orders, and (b) to contact you if necessary for any reason (maybe to ask for directions to your house, or to tell [13:36] you the order can't be fulfilled). [13:36] The first use case is a unique identifier. The second use case is a contact address. [13:37] Aadhaar does not serve the second use case, at least not until you introduce the Aadhaar Payments Bridge and Aadhaar-enabled Payments System (AePS), which are a secondary concern. We'll discuss that later. [13:37] The first use case, "unique" id, is only quasi-unique. [13:38] Hi All Sorry my laptop battery died, and I didn’t notice [13:38] While a service provider having a unique id for you allows them to not mix up your orders/transactions with someone else's, nothing stops you from making a second account. You may want to order healthy food in one account, junk food in another account, etc. [13:38] So this is one definition of "unique". [13:40] But let's say a service provider offers Rs 100 worth free meals for every new customer, what stops you from just making new accounts to exploit this offer? Now the service provider wants a different kind of "unique" id: you may only have one id and not two or more. [13:40] So this is a reverse definition of uniqueness. Aadhaar (in theory) ensures this uniqueness among all residents of India. [13:41] The problems with Aadhaar come out of this guarantee: [13:41] 1. When ensuring uniqueness, sometimes they get it wrong. Some people get two or more ids. Some people get zero. [13:43] 2. The number they give you is universal. All service providers get the same number. Nothing stops them (technically) from combining their databases to invade the individual's privacy. Do you order junk food regularly and are applying for health insurance? The insurance company can buy your food eating data from food companies. The law supposedly prohibits this, but nobody has ever been sued for such a violation, which can [13:43] only mean the law is toothless. [13:45] 3. The service provider does not get a uniqueness guarantee if you refuse to share your Aadhaar number. If they want to ensure unique customers, they have to do it by refusing to serve you unless you share Aadhaar. However, thanks to #1, some people will not get Aadhaar, and thanks to #2, you lose your privacy if you do share Aadhaar. Net result is that anyone refusing to participate in the Aadhaar ecosystem is locked out [13:45] of services. [13:45] Also, I would like to add an important point that citizen (or agency, if it comes to it somehow) as a victim cannot use the law to seek redressal [13:45] akshaybhalotia: that detail is for later. [13:46] Even if its not about Healthy food vs Junk food , Your Phone tariffs can change based on say, your bank account, and its also possible that the hospital may deny providing services becuse they can always do the join on different sources they accumulated, and one of the data points could be financial health of the person going to be admitted. [13:46] ! [13:47] What we're seeing in India today is (a) massive enthusiasm from service providers of all kinds (state and private) to clean their databases with unique ids, and (b) widespread denial of service, including constitutionally guaranteed services, even leading to deaths of individuals. [13:47] It makes everyone except the Aadhaar holder powerful , because you are in the dark as to what data they have access to, to deny the services - which means , there are hidden criteria to provide service to you [13:49] is the adhaar card discussion happening today? [13:49] It is in progress geekodour08 [13:49] There are problems with the imagination of Aadhaar, such as this idea of a unique id being good for society, and there are problems with the implementation of Aadhaar, including serious technological shortcomings, legal loopholes, and all around operational incompetence. [13:50] So that's Aadhaar for you. Let's move to the next question. [13:50] next [13:50] Is aadhar copied version of American social security number system? [13:50] geekodour08: it's going on [13:51] dodococo: again, depends. If the idea of a national currency is copied from America, then Aadhaar is a copy of SSN. If you think money is an obvious idea that can't be copied, then Aadhaar is not like SSN. [13:51] Bad attempt at copying: misses the point of being secret and lacks framework [13:52] akshaybhalotia: SSN is worse actually. [13:52] ! [13:53] America did not have a national currency until the civil war. They had this instead. https://en.wikipedia.org/wiki/Federal_Reserve_Note [13:53] Private currency was outlawed as recently as the 1930s. [13:54] https://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number [13:54] https://www.businessinsider.in/ForGods-sake-stop-comparing-Indias-Aadhar-with-USAs-Social-Security-Number/articleshow/57991057.cms [13:55] Yes, but that is what is being sold to the public so its important to point out the differences [13:55] A question like whether Aadhaar is a copy of SSN is inherently problematic because it ignores the history of where these ideas come from. [13:55] next [13:58] While we wait for pradhvan, does anyone have a further question on SSNs? [13:58] I did get the third point "The service provider does not get a uniqueness guarantee if you refuse to share your Aadhaar number" can you explain this again please ? and by unique customers you meant people who have only one account unlike the one you gave example for one to order junk food and healthy food ? [13:59] Like one account they can monitor our data with. [13:59] Let's take LPG. You're entitled to one subsidised cylinder per month. But to the gas company, who are "you"? [14:00] What if you have two accounts with the gas company? How are they supposed to know? [14:00] Let's say they make Aadhaar mandatory. [14:00] ! [14:00] If two "customers" provide the same Aadhaar number, aha! you're caught! [14:01] So they can now "deduplicate" and delete one of your accounts. [14:01] But let's say you're smart and provide your Aadhaar number for only one of your two accounts. [14:01] okay that way they can monitor uniqueness [14:01] The LPG company can now threaten to close the account unless you give Aadhaar. [14:02] ! [14:02] But what if you don't have Aadhaar because of #1 problem described above? That something went wrong during enrollment and they didn't give you one? [14:02] The gas company can't distinguish between those who refuse to share Aadhaar vs those who don't have one. [14:03] Now the problem I've described here is if you prefer to do your work sitting behind a computer, looking at spreadsheets. [14:03] But gas has to be delivered to your door. [14:03] ! [14:04] What if you just visit every customer and find yourself visiting the same customer twice? [14:04] Now you can catch a duplicate without using Aadhaar at all. [14:04] As it turns out, this simple idea is the difference between a well governed state and a poorly governed state. [14:05] Some states don't have a big duplicate customer problem because they just do door-to-door audits. [14:05] These states don't need Aadhaar. [14:05] ! [14:05] Other states don't trust their own field agents, so they turn to technology solutions like Aadhaar. [14:06] And when Aadhaar fails because someone can't enroll, the state is so poorly governed that the individual dies before the state notices it is doing something wrong. [14:07] Several such reports come from Jharkhand. [14:08] I hope this answers the duplicate question. Since pradhvan hasn't asked yet, let's move on. [14:08] next [14:08] In UPA era (Manmohan Singh govt.), Aadhar was claimed to be identification scheme to ensure social benefits. What was the basic idea historically/initially? Who's brainchild is it? [14:08] jace yes that clears my question , thanks [14:09] The idea has been building up since the early 2000s. [14:09] The basic problem is decades old. [14:11] If a country wants to make a list of all its citizens, how do they do it? [14:11] As it turns out, this is an incredibly hard problem. [14:12] Until the 1600s, no ruler had any idea who all lived in their kingdom/domain. [14:12] Making a list of citizens is useful only when you want to collect tax, and efficient tax collection is only a few centuries old. [14:13] ! [14:13] But even then, actual citizen lists are much harder. [14:13] The idea of conducting a census of all your population is about a century old. [14:14] Almost everywhere a census was introduced, there were privacy concerns. [14:15] Usually it's a fear of tax collectors, but it could be any fear. [14:16] The census act of India mandates a thorough census every ten years. The last one was in 2011. As per the census act, all collected data is private. Nobody is allowed to see it. It can't be used to collect tax, catch criminals or anything else. [14:17] This privacy guarantee is necessary for the other condition in the census act: it is illegal to lie to the census officer. You must give accurate details for everything they ask you. [14:18] Census data can only be shared in the form of statistics, never as the raw data. [14:18] So for a long time there's been a desire to open up the census data and allow it to be used. [14:19] Also, since the census happens only every 10 years, anyone who was born or died or moved home within that decade is not recorded. [14:20] So in the early 2000s, the government started exploring a new database related to the census, called the National Population Register. [14:20] Conducted by the same department, but meant to be a queryable database. [14:20] Notice that nobody was thinking about privacy at this time. The point of this database was to remove the privacy protection in the census database. [14:22] Another idea was to use the emerging field of biometrics to ensure uniqueness of people in the database. [14:22] This idea dates from about 2006. [14:22] In 2009, the Manmohan Singh government recruited Nandan Nilekani to pursue this idea under a new department, UIDAI. [14:23] They were supposed to only issue numbers to residents in the NPR, which ran under the home ministry of P Chidambaram. [14:23] In subsequent years, NPR and UIDAI became rival projects. (Aadhaar is UIDAI's project) [14:24] In 2014, the Narendra Modi shut down NPR and merged it with UIDAI, after originally promising to do the reverse. [14:25] So that's a rather long-winded history of population registers. [14:25] next [14:25] Hi jace, it's been almost answered now; What is/was the default approach of the Aadhaar provider to guarantee the uniqueness anyway? Do they link it with biometric data or fingerprints or id from the start? [14:25] jace: Thanks for very elaborate one :) [14:26] In 2006, both Karnataka and then-united Andhra Pradesh started exploring biometrics to deduplicate the Food and Civil Supplies (ration card) databases. [14:26] Both started with fingerprints and realised there were problems. [14:27] ! [14:27] Fingerprints aren't that unique, can't be taken from children because they change too quickly, and can't be taken from the aged or those who do manual labour or are missing fingers or have skin diseases. [14:28] In such a case, you either verify some other identifier (such as an existing id card), or you look for some other technology. [14:28] But since biometrics were introduced because of the belief that low level officials who are supposed to check id were taking bribes, using some other id proof wasn't acceptable. [14:29] Karnataka experimented with facial recognition technology. It turned out to be even less reliable. [14:29] The emerging field of iris recognition became a solution. It was very new then, and very expensive, but seemed more reliable. [14:30] Fingerprints are also easy to fake, but fake eyes are hard. [14:31] So when Aadhaar started in 2009, they had three years of history from these two states. They decided to use both fingerprints and iris scans for the original enrollment, and only fingerprints when delivering services (since iris scanners are still expensive). [14:31] As it turns out, this allure of foolproof biometrics has multiple problems. [14:32] Just like fingerprint scanners can be fooled by fake fingerprints, the programmers who write the deduplication and authentication software can make mistakes in their assumptions, creating new loopholes for scammers. [14:33] We can get into the details of these mistakes, and there are plenty, but let's get to the next question first. [14:33] next [14:33] You mentioned the issue of duplicate aadhaar. How is it possible if biometrics (including retina) are linked ? [14:34] Is there a backdoor in the registration process, which allows for duplicate aadhaar or something along those lines ? [14:34] Programmer error. What if your iris scanner had a buggy device driver? [14:34] As it turns out, this happened, and at least one person accidentally got a duplicate Aadhaar, and went on to describe it. [14:35] Here is his description: https://medium.com/@sthottingal/my-duplicate-unique-identity-fc64d1b7e3d8 [14:35] There are of course multiple backdoors. [14:36] There is a category called "biometric exception" where someone's fingerprints and irises are not getting scanned. [14:36] In this case, a reliable government officer may stand in for you. [14:37] "Reliable" being their asking price for giving you an Aadhaar. [14:37] This, of course, has been abused. [14:37] Second, the biometrics of children are not scanned. [14:37] Under 5, no biometrics. [14:37] Between 5 and 15, considered unreliable. [14:38] But UIDAI also has to deal with enrollments of people who don't know their own birthday. [14:38] Turns out a lot of Indians have only an approximate idea of their age. [14:38] So in Aadhaar, your birthday is optional and not considered reliable. [14:39] Which means you can bribe an enrollment agency into giving you an underage Aadhaar without biometrics. [14:39] Next: dead people. How does UIDAI know when someone dies? They can't. [14:40] By their own documentation, biometric authentication cannot be performed on dead bodies. [14:40] And you can't do OTP authentication to record a death, since a dead person can't enter an OTP anywhere. [14:41] So in Aadhaar, you only die if you stop using Aadhaar. [14:41] Which means UIDAI has a new problem: [14:42] 1. A dead person's Aadhaar number can be abused by a living person to get multiple services. Nobody will know the person is dead. [14:43] 2. To "catch" a dead person, you need to scan their biometrics. However, as we've already discussed, you can't always use biometrics. The Aadhaar Act itself makes it mandatory for service providers to offer an alternative if biometrics don't work. [14:43] 3. To prevent dead people's Aadhaar numbers from being misused, UIDAI has to force everyone to do biometric authentication periodically. [14:44] So even if you don't want to use Aadhaar, you have to be forced to use it, or someone may steal your id and use it without your knowledge. [14:44] As you can see, Aadhaar is Hotel California by design. [14:45] Dead people's Aadhaar numbers may be a little difficult to get hold of, but fortunately there's an entire other source of valid Aadhaar numbers: foreigners. [14:45] In the original draft of the Aadhaar Act, any "resident" was allowed to get Aadhaar. The term was no defined. [14:45] In practice it meant anyone who walked into an enrollment centre could get an Aadhaar. [14:46] The Aadhaar Act now defines a resident as anyone who has been in India 182 days of the last 12 months. [14:46] Which means a foreigner who comes to India on a valid work visa is not eligible for Aadhaar and can't open a bank account or get a mobile connection. [14:47] For six months. [14:47] As you can see, this is ridiculous, so in practice enrollment centres don't check the residency criteria. Anyone can get an Aadhaar. [14:48] ! [14:48] Now what if you're a foreigner who has an Aadhaar and are leaving India? You have no further use for this Aadhaar number, so you can sell it! [14:48] Has this been misused? Of course. [14:49] In the most recent case, an ISI spy was found to have an Aadhaar number and an LPG connection. [14:49] This loophole blew up a few months ago. [14:50] It turned out in Kanpur, some people stole the fingerprints of enrollment operators and were selling readymade masks along with enrollment software for ₹5000. [14:50] You could open your own enrollment centre anywhere in the world and enroll anyone. [14:51] There are more people outside India than inside India. Think of the abuse possible. [14:51] UIDAI's response to this discovery was to shut down *all* 50,000+ enrollment centre across India. [14:52] Now you can only enroll at a post office or bank, much to the surprise of post and bank employees, who didn't know they were working for UIDAI. [14:52] The bank employees association of India has filed a formal complaint with the government about this. [14:53] It's also why it's so hard to enroll for Aadhaar now. Someone reported yesterday that they have been waitlisted for an enrollment appointment in April. [14:53] I hope this answers the backdoor question. [14:53] next [14:53] Is door-to-door audit for deduplication feasible is a vast country like India ? Secondly is Aadhar data available for statistical analysis ? I read about a machine learning course on Udacity which was using it! [14:54] Thanks for all the information! [14:54] To the first question, yes. Tamil Nadu does it. Other southern states do as well. [14:55] Padfoot7: Have you heard of Postal identity cards ? A post man goes physically to the location to verify the existance of someone and Aadhaar can implement the same thing. [14:55] When you hear that South India is better governed than North India, it's because of this. [14:56] To the second: UIDAI used to publish statistical information, but they've progressively become more closed. Now they refuse to answer almost any question. [14:56] vasundhar : Thanks for the information , I didn't know about that. :) [14:58] next [14:58] can the govt or agency swap my adhaar identity with anyone else if they want to, that is intentionally tamper with the database [14:58] Thanks a lot jace! [15:00] ! [15:01] If you read the act, they can do anything they feel like. [15:01] Google "Aadhaar Act". The first result is a PDF file. [15:01] Read sections 47(1) and 52. [15:02] ! [15:02] According to 47(1), you can't approach a court unless UIDAI approves. [15:02] According to 52, anything they do in "good faith" is immune to the law. [15:03] So it doesn't matter what the rest of the law says. If someone in UIDAI decides to mess with you, you're helpless. [15:03] then I may be victimised for political or other reasons [15:03] Exactly. [15:03] They also reserve the right to cancel your Aadhaar number for any reason they feel like. It literally says that in the Act. [15:04] next [15:04] It's a bit long. [15:04] vharsh, wait it's not your turn [15:05] i have joined now can i attend the session? [15:05] sourabh1031, you are already attending [15:05] yikes, sorry. [15:05] I have to catch dinner, so I'll be a little slow in responding. [15:06] vharsh: you have multiple questions. I'll take those later. [15:06] okay :) [15:06] If smule is missing, I'll take a break for dinner. [15:08] jace, I am ending the session for now. [15:09] Or should I keep the log on? [15:09] maybe I will keep it on for some time, and see if there is any more discussion (while jace comes back). [15:10] How many of you do not aadhaar ? and how many have but not linked yet ? [15:11] I have my Aadhaar linked to my bank & PAN, nowhere(Private companies) else. [15:12] Dial *99*99# and have a good time. [15:12] I have an aadhaar and only linked to my bank account [15:13] I do not have Aadhaar, Except my parents who do not trust but got pulled in [15:13] Hey is USSD encrypted ? [15:13] My Aadhaar is linked to PAN and bank account [15:13] If anyone is trying it, report results. [15:13] vasundhar: In my case my parents over-trust Aadhaar. [15:14] Of course not encrypted, because only terrorists need encryption. [15:14] vharsh, Good to see your view changed. [15:14] They have it linked to PayTm :/ [15:14] vasundhar, it's same with me, my dad have linked my Aadhaar to PAN and bank account [15:14] kushal: I only knew the good side of Aadhaar. [15:14] bhavin192: same happened with me [15:15] I have my Aadhar linked to Bank account and PAN [15:15] I only heard how my father's dept didn't pay third party vendors ~50-90k for printer cartridges. [15:15] Good Part is , PayTM still works without Aadhar, I told my Finance team to find a way without aadhaar for PF and other painful things [15:16] I may have my Aadhar linked to things I don't even remember :( [15:16] I mean, according to my father it helped reduce corruption. [15:16] vharsh, I am yet to hear a single good thing about Aadhaar. [15:16] vasundhar: So what can we do if we do not have Aadhar linked anywhere at all, when the actual deadlines come near? [15:16] kushal: But my father got my bank account linked today. [15:16] Back. [15:16] One of my colleague’s Aadhaar got linked without his knowledge as , he is coming on 13th to Sri Krishna Committe [15:16] vasundhar, yes PayTM works without Aadhaar and I have some amount on PayTM. I don't want to loose that money :( [15:17] Has anyone tried *99*99# yet? Please report what happens if you use it. [15:17] vasundhar, after 2nd Jan, I'm not able to transfer money from PayTM wallet to bank account without completing KYC (which in turn will need Aadhaar). Is there any way around it? [15:17] jace, i have used and have been charged 0.50, nothing else happened [15:18] We can discuss whether you should use Aadhaar or not based on this. [15:18] sanketdg: We have to wait and watch, they won’t enforce with how they are operating now with or without judgement [15:18] mpduty: it didn't give you a prompt? [15:18] no it didn't [15:18] Its operational issue , with limitations on number of aadhaars can be processed, and limited locatins [15:18] jace: It did. [15:18] vharsh: the question you asked . point 4 it can be done with a normal biometric without aadhaar i guess [15:18] Buggy then. It's a known problem with *99*99#. [15:18] I entered a bogus 12 digit Aadhar number 123.. [15:19] jace, it is asking for Aadhar no. I'm not sure to give it though. [15:19] realslimshanky, same here [15:19] realslimshanky: this is an official service. [15:19] vharsh, what happened next? [15:20] Oh, wait, I also linked it to some of my policies(private compnay) [15:20] jace: What if we want to change the number once entered ? [15:20] It told that my number isn't linked. [15:20] You're supposed to give it your Aadhaar number, and it will tell you which bank is linked to your Aadhaar. [15:20] jace, I tried again, got NPCI server not responding msg [15:20] kushal: Aadhar helped me get my passport within 15 days. I did not have to collect much of paperwork. Just Aadhar and a Bank statement. [15:20] But you can give anybody's Aadhaar number and it will tell you which bank account they use. [15:20] bhavin, Sorry the Aadhaar number you have entered is not linked with any bank. [15:21] Huh, for real ? [15:21] Here's an exercise: find Nandan Nilekani's Aadhaar number and check which bank he uses. [15:21] jace: that too without OTP? [15:21] No spam detection? [15:21] Yeah, no OTP required. [15:21] jace, Sorry, the Aadhaar number you have entered is not linked with any bank. [15:22] I mean I won't even get a threatening call from UID? Which I am afraid to ask them if I would. [15:22] Nope, it's a public service that you're meant to use. [15:22] ^ This is a question worth asking. [15:22] jace: *99*99# doesn't even mention all the connected accounts for me. It just mentions 1 of my connected accounts [15:23] Does it also, list the IIFSC code, etc ? [15:23] subho: it has no connected accounts. You can query anyone's Aadhaar number. [15:23] It offers you the last used one as the default. [15:23] If it did, UIDAI is totally nuts. [15:23] vharsh: no, they don't have your account number, only the name of the bank. [15:23] why they are not authenticating ? [15:24] Sorry that concept is alien to UIDAI [15:24] They don't have account numbers because of a technical design decision. It's documented at medium.com/karana. Look for the "fault lines" article (I'm on phone right now). [15:25] Has anyone tried it with Mr NN's number? Here's a hint: search for his name on Stack Overflow. [15:25] Only bank name is okay, unless there's a different service which can pour out more data. [15:25] here I guess this one https://medium.com/karana/fault-lines-of-aadhaar-mapper-in-digital-payments-cfef2219a416 [15:25] Please note that it's illegal to share Aadhaar numbers in public. [15:26] vharsh: of course there is. Why do you think so many people are critical? [15:26] Here's another exercise. Find Hanuman's Aadhaar number. You can google for it. It was widely reported. [15:26] Thats brilliant hint indeed [15:27] I had bought an Aircel sim three months ago and my fingerprint was sent over http. [15:27] jace, If you lose PAN, then why its mandatory to update Adhar card? Some job portals websites are asking for Adhar number while registration is it ok to share? [15:27] Go to UIDAI's website and validate Hanuman's number. You'll find it is cancelled. [15:28] Next, Google for "Indane Aadhaar". There's a page on their website to check for Aadhaar numbers. Put in Hanuman's Aadhaar number. [15:28] Indane's website is buggy and only works for part of the day. [15:28] I went to link my bank with Aadhaar(father told me to do so), and SBI staff was using IE on a win98 looking(maybe windows8 or 7). The URL-bar was RED, possibly expired certs, or self-signed certs, or whatever. [15:28] If you manage to make it work, you will find that Hanuman currently has an LPG connection, and his real name is also public. [15:29] Here's Hanuman's Aadhaar Card https://d1u4oo4rb13yy8.cloudfront.net/article/44627-htzcyldxai-1478097230.jpg [15:29] http://d1u4oo4rb13yy8.cloudfront.net/ergsbtlqgp-1478089802.jpg [15:29] That Mr Rajput is the ISI spy with an LPG connection. [15:30] Indane's website will cheerfully tell you everything about them. It only needs an Aadhaar number. [15:30] I recently read that UIDAI has no bug reporting system. [15:30] And Indane will give you details even if your gas connection is with some other agency, because all of them share data with each other. [15:31] So unless you don't mind someone digging around with your Aadhaar number like this, don't share it with anyone, not even your bank or phone company. [15:31] jace, very soon you won't be having a bank account or phone no without sharing adhaar [15:32] jace: But isn't it okay to give it to public sector banks ? They'll get it anyway. [15:32] Nope. Empty threats. They have no authority to harm you. [15:32] vharsh: it's okay as long as you don't mind it leaking. [15:32] Remember that once leaked, it's leaked for life, as Mr Nilekani has also found out. [15:32] I just gifted NN an OTP [15:32] jace: what about bank ? All those threats about shutting your account ? all empty ? [15:33] jace, but bank refuses to open accounts or service providers do not give SIM cards [15:33] You know why his number is on Stack Overflow? Because he tweeted it out in 2015. He masked the Aadhaar number, but forgot to mask the QR code. That question's XML file is the contents of that QR code. [15:33] I wonder why is Modi silent on this? He had tweeted about his concern about aadhaar. [15:33] Once your number is public, you are screwed for the rest of your life. [15:34] So it's your choice whether you want to take a risk with your bank. [15:34] And no, your bank can't take your money. That's your property. [15:34] The Supreme Court case starts Jan 17. [15:34] btw, Hanuman's aadhaar is linked with Indian Overseas Bank. So even if the aadhaar card has been cancelled, the bank account may still be active and UIDAI still holds their data. [15:34] It's been dragging on since 2015. [15:35] jace: Is it okay, if we have server generated temporary identification numbers to authenticate people ? Like since I know OTP 12345fadvsfg I am vharsh for the next (say) 120 seconds. [15:35] vharsh: how does UIDAI know that your mobile number is actually yours? They don't. Most of their database is populated with other people's mobile numbers, because they never verified them. [15:37] On the Supreme Court case: back in August, the government argued in SC that Indians don't have a fundamental right to privacy, so all these abuses were not a problem. [15:37] How good a system it is , when you get a unverified card, for rest of your life, and the mistakes in those, haunt the poor people ? [15:37] The SC responded by declaring that it's indeed a fundamental right. [15:37] jace, it was a 9-0 judgement, really historic [15:38] still the govt is forcing ahead with adhaar [15:38] You know what a 9-0 judgement means? It means this right is guaranteed until 10 or more judges simultaneously agree that there is no fundamental right to privacy. [15:38] jace i tried with stackoverflow ID seems like its connected to HDFC Bank [15:38] this is da [15:38] this is [15:38] So all of these public database lookups are a violation of your fundamental right. [15:39] Now it just requires someone to go back to the SC and argue that Aadhaar violates it. [15:39] And *that* case begins Jan 17. [15:40] The linking deadline is March 31. I say just sit back, ignore the threats, and let the court hear the case. [15:40] it seems, adhaar is similar to the kind of national identity they used in germany during Hitlers time [15:40] And of course, tell everyone you know to not fall for the threats, because they are really scary threats. [15:40] how much can you trust SC? They have to retire some day no? [15:40] There are always judges in the SC, no matter who retires. [15:41] SC is never dissolved like Parliament. [15:41] Of course the SC can do weird things like the Hadiya judgement, so you can't depend on them, but there's a fairly good chance. [15:42] The other avenue, which you and I have better control of, is to petition your Member of Parliament. They don't want to lose your vote, so they will listen if enough people ask. [15:42] We built a website for this: SpeakForMe.in [15:43] It has a template. You can look up your MP and email them. [15:43] that i did [15:43] About 30,000 emails have been sent so far. [15:43] jace, run hashtags in social networking sites, build consensus [15:43] And 23 MPs (as of last week) have responded by raising the issue in Parliament. [15:43] Even more as of this week. [15:44] The hashtag is #SpeakForMe. [15:44] ! [15:44] It was a trending hashtag when the website launched in December. [15:45] Parliament's winter session ends Jan 5, but the budget session starts next month. [15:45] So if we keep petitioning, MPs will respond by questioning the government. [15:45] This is the democratic way to do it. [15:46] One other thing: the *99*99# service is not operated by UIDAI. [15:46] It's operated by NPCI, a private non-profit owned by banks (both public and private sector). [15:47] This service exists because of a data sharing agreement between UIDAI and NPCI, which was made in 2011. [15:47] That agreement is illegal as per the 2016 Aadhaar Act. [15:48] But thanks to sections 47(1) and 52 of the Act, "illegal" is meaningless if UIDAI likes the arrangement. [15:48] Which is why that and the Indane website lookup and various others query interfaces into the database exist. [15:49] This is what should scare you more than all the supposed good things about Aadhaar. [15:49] jace, what could be the real motive behind denying people to go to courts against UIDAI, anti democratic isn't it? [15:50] mpduty: because of all the shady things they did in the early days to convince service providers to fund Aadhaar. Now they need to cover their asses. [15:51] The funding for Aadhaar came from all these service providers, who were promised savings by eliminating duplicates. [15:51] UIDAI asked for their future savings as funds to build the project. [15:52] So to make it work, these agencies got access to the database for doing whatever they felt like doing. No privacy for users. [15:53] Now they can't dismantle all these agreements, because none of these agencies have actually had any savings. [15:53] So the act has these two clauses to protect UIDAI. [15:53] jace considering the fact that UIDAI says Hanuman Aadhar doesnt exist and Indane showing details , is there a possibility that these service providers might have a copy of UIDAI database? [15:54] ! [15:54] subho, they have access to it probably [15:55] with some outdated queries [15:55] Define "access" [15:56] able to look into information linked to a particular adhaar no [15:56] UIDAI doesn't keep much beyond biometrics, name, address, email and phone number. [15:56] So access isn't very useful. [15:57] As a policy, they don't give away biometrics unless they have a prior agreement to do so, which they have with seversl state governments. But not with gas companies or banks. [15:58] The gas agency accepted an Aadhaar number and probably did some validation on it to confirm it's a 12 digit number. Maybe they confirmed the Verhoeff checksum. But did they check with UIDAI that it is a valid number? Most likely not. [15:58] Even if they did, did UIDAI tell them when the number was cancelled? Nope. [15:59] So the gas agency now has a leak in their database, which UIDAI assured them would not happen after they funded UIDAI to build a citizen database and clean the agency's database. [16:00] The more you look into this, the more you'll find UIDAI only exists for their own sake, while the country has a collective hallucination about eliminating corruption. [16:01] Hi jace, thanks for all the information, I have a query that whenever I discuss this issue with my friends, they stop me saying why are you not giving aadhar a chance to prove itself or what other solutions do you have? I know you have already answered some of this, but would love to know more. [16:02] jace, do you know about this: https://www.prabhatkhabar.com/news/company/aadhaar-issuer-uidai-notice-to-airtel-for-wrongfully-enrolling-users-in-its-payment-bank/1058930.html [16:06] batman_: it's been seven years. It has killed people. Airtel pulled off a major scam using their system. How much more damage is acceptable while giving it a chance? [16:07] mpduty: the Fault Lines article we discussed above explains how Airtel did it. [16:07] One major technical design flaw in Aadhaar is the repeated confusion between identity, authentication and authorisation. [16:07] The basic idea is this: [16:08] "Identity" means this identity document is valid and can be verified to be valid. [16:08] A bank note has security features to help you determine that it is genuine. A PAN card has a hologram. A passport has multiple security features. [16:09] In Aadhaar, they decided that the physical card is just a piece of paper, with no way to verify it, but the data is electronically verifiable. [16:09] None of the other id card systems offer electronic verification, so this is a good thing in Aadhaar. [16:10] But just because the id card is valid does not mean it's my id card, or yours. [16:10] So anytime someone accepts a physical Aadhaar card, they have made the mistake of confusing identification with authentication. They have not actually authenticated you. [16:11] This is of course the service providers fault, not UIDAI's. [16:12] the fingerprint scan does the authentication [16:12] Except UIDAI has done precious little to correct such misuse. [16:12] When demonetisation happened, they even put out a public notice asking people to write the purpose on photocopies so that the copy can't be misused. [16:13] What they should have done: warn service providers to not accept photocopies at all, because it's not authentication. [16:13] Second, authentication. [16:13] Is scanning a fingerprint authentication? [16:14] not fullproof [16:14] Define foolproof. [16:15] Look up Sameer Kochhar's report on stored biometrics. UIDAI filed an FIR against him for it, because according to the Act, reporting technical problems is illegal. [16:15] Based on this we can at any time only cover ~60 of the population at the max http://censusindia.gov.in/Census_And_You/age_structure_and_marital_status.aspx [16:15] That is max - [16:15] vasundhar: context? [16:16] Finger printing fails because of the age, 45+ or Infants before finger print gets matured [16:16] vasundhar: discussed already, and not relevant to theory of authentication. [16:17] On authentication: you can take a picture of a finger and send it to UIDAI's fingerprint API. An API only receives bits on a wire. How is it supposed to know it came from a live finger or a stored copy? [16:18] Sameer Kochhar reported that one bank was in fact storing fingerprints and using them on the API. UIDAI responded with an FIR, and then introduced what are called "registered devices", which are now mandatory and which are also broken by design. That's a discussion for another time. [16:19] Fingerprint scanning is only identification. It only proves that the fingerprint matches the database record. [16:19] To convert it to authentication, the official in front of you must certify that it was your finger and not someone else's. [16:20] But in almost every situation where there is a demand for Aadhaar, the official has no authority. If they did, they could vouch for your id using your existing id card, without needing Aadhaar. [16:21] So in this case, UIDAI itself has confused identification with authentication. [16:21] Next, authentication is not authorisation. [16:21] Just because you've verified that this is my Aadhaar card because my fingerprint matches, it does not mean I've given you permission to open a bank account in my name. [16:22] eKYC is an authentication API where UIDAI shares everything they know about you with the service provider. [16:22] Airtel misused this eKYC authentication to open bank accounts. [16:23] Turns out it's completely legal, because UIDAI has once again confused authentication with authorisation. [16:24] So they will make an example of Airtel because how large their misuse was, but won't go after all the smaller parties who indulged in similar misuse, from Vodafone to Paytm. Because it was all as per UIDAI's directions. [16:24] maybe this is the real hidden motive [16:25] Now you can see why section 52 of the Aadhaar act is relevant even more. It allows them to say "oops" after screw-ups like this, and walk away scot free. [16:26] UIDAI has something called eSign, which is actual authorisation, in that it requires placing a digital signature on an XML document. [16:26] Nobody uses eSign. [16:26] Once you start poking at it, you'll find more screw ups. [16:27] In real life, signatures can be forged, so you can "revoke" it by telling the bank you want to change your signature. [16:27] Digital signatures similarly have revocation, because theft does happen. [16:28] But eSign has no concept of revocation. You can't report fraud. [16:28] So now this is waiting to become the next big scam. [16:29] All right, I'm going to end here. This has been fun. Hope it was educational for you all. [16:29] jace, It was great [16:29] Thank you everyone for joining in. [16:29] I dont believe that UIDAI is oblivious to these [16:29] jace: Thanks for sharing [16:29] Thanks, jace, this has been a great learning for all of us. [16:29] We will publish the logs as soon as possible. [16:29] jace, thank you! ----END CLASS----