Aadhaar or Aandhaar -- Emancipator or Descending into the Darkness?

Introduction

‘Aadhaar’ in Sanskrit derivative languages means ‘foundation’. ‘Aandhaar’ in similar languages mean darkness.  Aadhaar was first conceived in 2009 as a foundation of identity of Indian residents. It was not created to make it as pervasive, ubiquitous and essential to have a functional life in India, as it has become since. It was supposed to provide identity to those marginalized citizens who had no other ways to establish their identity – for not having ration cards, school leaving certificate or any kind of document that irrevocably proves who they are. But by 2018, it has taken a draconian proportion, an instrument for possible mass surveillance, and certainly, its leaky eco-system has exposed the unaware citizens to various kinds of frauds. All these could have been addressed properly, if the UIDAI (Unique Identification Authority of India) had taken the privacy and security seriously and taken sufficiently reasonable measures to protect the holders of these numbers. Unfortunately, their approach to all kinds of concerns have been dismissive, showing lack of sensitivity to the issues raised. The statements they make after every reported breach of Aadhaar data shows that they do not even think very effectively about the threat models each individual breach poses and respond immediately with a blanket statement to the effect “the CIDR (Central ID repository) is behind 13’ x 5’ walls, guarded by commandos and safe”. In 2018, this is the worst kind of response to cyber security concern, as the target of the breaches are not usually the confidentiality of the information in the central database, but the ‘integrity’ of the data stored there, hence existence of fake identities in there which then authenticate people of unlawful origin to get various services obtainable only through Aadhaar based e-KYC authentication. The reason why I think Aadhaar is actually becoming Aandhaar or darkness is because there are concerns of citizens about breach of privacy not only by breaches due to pervasive and uncontrolled usage and storage of data at so many disparate IT systems – both governmental and non-governmental, but also the fact that non-governmental entities are fooling their customers by enrolling them for services that they did not sign up for – while signing up to receive a SIM Card or some other service. The way Aadhaar has been inextricably linked to banking by a company whose CEO was the progenitor of the original Aadhaar project seems to be a sinister design. We hear that many banking software are incapable of processing new accounts without Aadhaar numbers even when the honorable supreme court has put a temporary restraint on usage of Aadhaar in banks, and telecom services. Banks are still asking for Aadhaar number despite the Supreme Court’s temporary moratorium for such usage until it pronounces the judgement on the Aadhaar case. Further, the way, the authorities are quick to lodge FIR against the journalists, and white hat hackers, and openly pronounce anyone who criticizes their lack of security, and privacy, as ‘persons of vested interest’, and the way an ex-director of Aadhaar openly incites people to breach their own privacy by publishing Aadhaar numbers on twitter, it seems that they have learnt their methods from a fascist’s playbook. These are very ominous signs for a democracy, and it is an attack on the federal structure of the Union of India, and local governance and empowerment. One of the presumptions in the entire system is that individuals are dishonest, and cheaters, and we need to centralize the notion of identity at the cost of their privacy and security to punish them even before they commit a fraud. This presumptuous foundation itself is highly problematic in a democracy. Recall, that originally Aadhaar was meant only for public distribution schemes, and to identify the legitimate recipients of the PDS benefits. However, in many cases, people died of starvation having been denied their lawful right to food, because the Aadhaar system did not work as intended. If this is not descending into a darkness – then what is?

What is Aadhaar: Is It Equivalent to the Social Security Number?

Aadhaar is touted as a unique identification number for the residents of India – claiming to hold the interconvertible proof of the identity of a person residing in India. The 12-digit random number assigned to a person on completion of one’s Aadhaar enrollment process, by providing the finger prints of all 10 fingers, and scanning iris of their eyes, and showing a proof of address and birthdate. If one does not possess those proofs, they can be enrolled through a reference by an existing holder of Aadhaar.

My experience with a unique identification scheme, for the first time was in 1992, when as a graduate student in the United States.  We had to go to the office of social security administration, and show our university enrollment documents, along with our passport and visa. They assigned a 9-digit number to me, and it was termed my social-security number. It took me a while to understand why it was called a ‘social-security’ number. After spending almost 5 years as a student, as I entered the work force, every month, our salary slip indicated a deduction towards our social-security benefits. What is a social-security benefit? If I became unemployed (as a non-immigrant visa holder, I would then be illegal immigrant if I stayed being unemployed, hence this is applicable to immigrants and citizens), then social-security system would pay me some living expenses until I find a job. This became more realistic when I became a green card holder. Only after obtaining a green card or US citizenship, I could continue to stay in the country – and get this benefit. But for citizens of the US, it makes perfect sense, as whenever, they become unemployed, then can claim social security benefits. Further, after the age of 62, (in the recent years this has become 67, I believe), the deductions accumulated over one’s working life, would allow the social-security system to pay him or her some social-security pension. This is part of the ‘new deal’ of President Roosevelt during the 1930s. Even though, he was a capitalist, after the experiences of the great depression, he and his economic advisors understood the responsibilities of the society towards all its stake holders.

The social-security number’s uniqueness allowed the system to keep track of my deductions across multiple jobs, all the way through retirement. Further, this number also doubles as the Tax identification number for everyone. Income tax is not connected to social security, but at some point, the government decided to use the same number for uniquely identifying the tax returns of its residents and citizens   – just as a matter of convenience. This number is also used for opening bank accounts, insurance and several other fiduciary connections because it is used as a Tax ID. Since banks deduct taxes from interests earned, the brokerage houses deduct taxes from profits of customers, insurance deducts taxes from insurance payments, they require this number while opening accounts with them.

Until the early 90s, when people were not so aware of the cyber security issues, or identity theft issues, they were using this unique ID in all kinds of places. However, it turns out,  the consumer credit rating agencies in the US, who keep track of your credit card payment history, your banking history, your loan payment history,  and generate credit score, also use this number. They use this number as they can track your transactions across all kinds of businesses. Therefore, to receive credits – in the form of credit cards, or bank loans and mortgages, you need to provide this number – and your credit is checked from a reputed credit rating agency.

This led to several identity theft cases, where someone could use your social security number, and claimed to be you, and using your good credit score, could get a credit card issued. Since social security number does not associate you to your picture, or any biometric, it was not too difficult to commit this fraud.  This brought in sweeping legal changes, that made one’s social security number as a sensitive and private information, only to be shared for legitimate business purposes where you can trust the person taking your social security number – say to check your credit score.

In early 1990s, when I first entered the university in the US, my roll number was my social security number. With in 2 years or so, legislations mandated that it would be illegal for universities or schools to do so, and the University must generate its own unique roll numbers for each student. However, for tax purposes (for the students who might be getting stipends etc.), they could keep an association between the social security number and the roll number of the students. This association must be protected from data breaches, by law. However, when I was teaching another 15 years later, new data privacy legislations made further changes in the university practices. Universities were told that a student’s name, address, and roll numbers cannot used in a single document, not even in emails. If the roll numbers are used to identify the students for submitting grades, the names must be removed. That way, even if the roll number to social security number correspondence database is breached, it cannot be easily discovered who that roll number really belonged to.

These are all attempts to safe guard the privacy and protect individuals against identity theft. If someone is specifically targeted, these safe guards are not necessarily insurmountable. But the intent of the law is clear – security and privacy of individual’s identity and data must be given the utmost importance.

Identification vs. Authentication

There is often na?ve comparison made even by highly placed officials In India – Aadhaar is just like social security – but it is not. Social security system does not have anyone’s biometric, nor is it used as an authentication identity. Identification and authentication are very distinct concepts. If someone wants to know my credit history, or legal authorities need to know my tax payment history, and I agree, they can ask for my social security number to find my record from among millions of individuals in the databases of the credit agency or tax agency. However, when I claim a number as my social security number, they already established who I am through other forms of identity – such as my driving license, or passport, to establish who I am. Social security number is only helping them to establish my credit worthiness for example. In case of Aadhaar, the Aadhaar number along with a biometric – such as finger print, is used to authenticate transactions, where money from account is being paid to someone, or I am being enrolled into a phone company’s plan. 

Why is it a bad idea? First, as recently as 2 months ago, the past director of the Aadhaar project, Mr. R. S. Sharma tweeted out his Aadhaar number daring anyone to demonstrate that Aadhaar number is a not a sensitive number. He openly challenged people to show they could  harm him just by knowing his Aadhaar number. He was duly surprised, and people mounted denial of service attack on his phone to show him his ignorance. But in the past, in many occasions, the CEO of UIDAI, has said – no harm can be caused if Aadhaar numbers are leaked. Many incidents later, about a year ago, they decided to masquerade Aadhaar numbers with temporary   identification numbers. Now they are tweeting out that one should use those derived temporary numbers to protect one’s Aadhaar number. If Aadhaar number is not private and sensitive, why did they device this masquerading system? Not that their masquerading effect is much useful, given that much of the population is not computer and Internet savvy and for them to generate these replacements to temporarily use to protect their original numbers is impossible.

Breaches Galore

Only 2 days ago, several cyber cafes in Gurugram were raided and it was found that the finger prints of original Aadhaar enrollment agents were impressed onto pieces of resin, and they were used to authenticate fake enrollment operators. The operators doing these enrollments were not even known to the authorities, and if they do not verify the real identity name, birth date proof, or the address proof of the people they are enrolling, many fake identities were being created. The people enrolled might not even be residents of India.

A few weeks ago, another story surfaced backed by a 6-month long investigation by the Huffington post. They found hackers have created 26 patches to the Aadhaar enrollment software, which would disable GPS location tracking of the device’s position and bypass the need for authenticating the enrollment operators by running the image file of biometric of the operator – and can become an enrollment station anywhere in the world. The original intent of the software was that it was GPS locked, and hence one could not operate an enrollment centers outside India. This important discovery   made it clear that with a copy of the enrollment software along with these patches, one can run enrollment operation anywhere in the world. The question is now many Chinese, Russian, Ukrainian, or members of middle eastern terrorist groups might have been enrolled as these patches seem to be existing for a while now.

All this scary news stories are always answered by the UIDAI with denial and often repeated phrases like “your biometric data is secured in our data center”. No one has breached the database to steal biometry. But the data has no integrity anymore, as we do not know who all are now in the database and can authenticate themselves in India to open bank accounts, get SIM cards, and what not.

So as a banker, or a telecommunication operator, if you feel that authenticating someone through Aadhaar is good enough proof of the person’s identity, you will be highly mistaken. After the last story broke, the UIDAI claimed that their de-duplication software is so precise that no one could have created two Aadhaar numbers. But that was not the attack model exposed in the story. Although, accuracy of the de-duplication software is not 100% and hence such a claim also is meaningless. With 1 billion people, even 1% lack of accuracy could lead to many cases of duplicate Aadhaar numbers.   But the fact that the database might now contain non-citizens, possibly spies, and operatives of sleeper cells of terrorist organizations, and by virtue of their Aadhaar enrollment they are more empowered should be considered as a serious problem.

These are only a few examples. There have been 100s of stories – ranging from poor applications designed for using Aadhaar authentication for the E-hospital application, and Rs 500 backdoor entry to enrollment as exposed by a news paper in January 2018 – so the entire Aadhaar system being sold to reduce corruption by identifying every one – is a myth.

A few days ago, another announcement from a global institute drew my attention, and scared me to no end. The institute was announcing that the same Mr. R. S. Sharma will talk about the success of Aadhaar and how the Indian government is ‘monetizing’ citizen’s data. Now, that is an important piece of information. Our data is being sold? What does ‘monetizing’ our data mean?

Tu Kya tha, Kya ho Gaya?

The original intent of Aadhaar, as I understand is to provide identity to those who have no other ways to establish an identity – such as those who never went to school, has no birth certificates, do not have a ration card or any identity to establish who they are.  But in the last 4 years, it has become so draconian, and pervasive that in every operation (even my employer wants to record my Aadhaar number, the Bluedart delivery man demanded copy of my Aadhaar failing to produce which he would not deliver my package etc.), we are asked to use Aadhaar number and Aadhaar based authentication. This is very bad as it provides UIDAI with unconstitutional and enormous power over us. They can identify every move we make, and every step we take - - a surveillance state. Currently the honorable supreme court has reserved judgement on the constitutionality of Aadhaar and we hope that in its wisdom the court will side with our right to privacy and deconstruct this attempt at a surveillance state.

Interestingly, a more recent case heard by the honorable supreme court this week, was about Aadhaar’s request for proposals to software companies -- for procurement social media monitoring technologies. Not only have several times filed FIR against the whistle blowers, and people who showed in their face that their claims are false, they now want to monitor the social media and identify the detractors of Aadhaar. The point is – criticizing the Aadhaar as a concept of unique identity – is a constitutional right of every citizen. Why should they be marked as detractors? They are raising legitimate questions on the validity of the claims by the company UIDAI.

Another dangerous information came to my notice this week on tweeter. The Mr. R S Sharma, who was thoroughly embarrassed after daring people by posting his Aadhaar number – even UIDAI had to post disclaimers – is apparently going to deliver a talk on “fiscal benefits of Aadhaar and efforts by the Indian government to monetize the data created by its citizens” (check out the URL bit.ly/2D126wz) . The center for global enterprise organized this on September 27, 2018. If this does not tell you the machinations and designs behind Aadhaar – what can?

Finally, …

Finally, I must say that Aadhaar is a bad idea for the Indian democracy --- local governance, and federal structure as envisioned in the constitution. It is centralization of all citizen’s data, their movement (even railway ticket now requires Aadhaar number), their banking transactions, their mobile phone usage, and most other important activities that requires interaction with any business practically. Not only does it give massive surveillance possibilities by the government of its citizens, it also concentrates too much in one place --    and hence if the government “monetizes” the data so collected, and provide it to third parties, it is basically riding high on our shoulders without us even knowing.  If you say that you need a nationwide ID to collect birth and death data, our federal system is completely broken. So are our local governance is broken. Such records should be kept at district level, and consolidated at state level, and central level database should get feeds from state databases. Of course, one can imagine a project to computerize such registration system in that hierarchical set up. But doing it through a national identity is basically undermining the federal structure and has an intent of unnecessary centralization. In a federated system this will not lead to a single point of vulnerability and the central repository will only contain meta-data that cannot be used to track individuals.  To achieve some analytics at the central level for planning, for example, I do not see why Aadhaar is needed at all. It seems a posterior justification of draconian Aadhaar system. 

 Instead, laws should be strengthened to ensure that all district administrations and state administrations have enough IT enabled systems to feed into center's database on the birth/death and other life events. In fact, such data need not reveal the identity of the persons -- if public health policy decision is the aim of such a system. 

 Again, adding educational data through Aadhaar suffers from the same issue -- education is a state subject -- and already there is too much centralization (NEET vs. state medical entrance exams). If answer to all corruption is to centralize and intrusion into local governance -- then our system of governance is broken and requires a new constitution. 

 To me identity should be hierarchical -- not a flat structure. The local government is in a better position to provide identity to a person -- and then it should be collected from local governments as an when required. I think my biggest problem is that the centralization and there by exercising control. Aadhaar authorities often brag that they blocked the Aadhar of the journalist who showed on TV that with fake name he could register himself twice.  I can understand if UIDAI had filed a police case against a journalist (which I do not condone) and let the judges decide the punishment. But  like a tyrant if UIDAI blocked his ID -- and if this is the only ID one can function with - this person is disabled in all functionality and livelihood. This should be illegal to do so.  Local governments can also do such things -- but then the person can appeal to the next higher authority and get the ID unblocked -- but if there is this flat central structure who can he go to?

 I think PDS should also be hierarchical as was originally designed. Of course, corruption and middle men needs to be cut out through IT enabled mechanisms, but I think Aadhaar is harmful for PDS itself and also harmful for citizen rights :) 

 I think it is time that citizens demand their right to privacy, and right not to be tracked without a proper court order – otherwise our democracy is in deep trouble.