UIDAI has repeatedly been told that there are gaping vulnerabilities in their architecture of their systems, and more importantly their processes.
These concerns were generally met with great hostility; UIDAI has relentlessly pursued to silence people sometimes by threatening them with legal proceedings.
ORF compiled a list of leaked UID numbers (~100 million) sometime back. Many UID numbers were dumped onto the Internet by clueless public servants. UIDAI promptly sent them a cease-and-desist order (or something to that effect).
UIDAI was implemented, very un-democratically, first by the former ruling coalition, and is now being promoted to ridiculous levels by the current political elites. All this has been done under the watchful eyes of the billionaire, Nandan Nilekani. He was able to engineer this junk system past both the legislative houses and courts multiple times over the course of the previous decade. UIDAI has only receive mandate well after it was already pushed out onto the people through underhanded tactics.
Usha Ramanathan and others have been following this development from the start. It's increasingly becoming obvious that UIDAI was really only a means for creating a new Orwellian state, where everything can be turned off at the whim of some perturbed politician; where all your phone/bank numbers are at the mercy of some wrathful God in Delhi (and likely as not outside of it). This theory goes well with recent statements coming from the Indian state apparatus about the abolition of cash/untracked assets.
People in power learn very quickly the extents of their power. They will surround themselves with henchmen intelligent enough to explain to them their power.
When it comes to power, there is no developed and developing.
In India or any poor country with a large population you don't need hi tech scifi methods to control a population. The country is reasonably stable ie not falling apart like Syria or Venezuela because brutal systems of control are already in place. People who are suddenly worried about state control are seriously clueless.
I won't add to the toxicity of the comments found in the article.
Has anybody who has worked on the Aadhar system have a presence on HN? The cynic in me wants to believe that the 'system' was nothing more than a simple crud app with the front end locked away under a username and password. Minimal effort, minimum spent.
Even large Non-Tech corporations are known for really insecure systems, insufficient password protection, easily guessed usernames etc. all in the name of saving some $ on development.
And to think this DB was not even meant for profit in the first place!
Did they (the org that built Aadhar) commit the same mistakes or does this look like an inside job (purely for profit, with no malicious intent)?
I want to be wrong. I want this to be an 'attack' rather than just an 'pay for access' method.
Read the article. The issue here is -a massive number of, thousands- corrupt officials and politicians, not a programming error.
The corruption comes with full service. Not just information leak, but information falsification, introducing fake people into the system, false aadhaar cards (and therefore passports), the works. And if you buy 5x access (ie. $50) it comes even more full service: install software on official computers (presumably for remote control), so that unlimited access is available.
And of course, we know that the reverse exists as well : refusal of service for legitimate purposes unless bribes are provided.
Meanwhile banks give anyone with your passport access to your bank account. Which sounds reasonable until you read ... A new epidemic is spreading across India. Find a "rich" person, figure out where they bank, get an ID card in their name (from the real government, I might add), and phone in a bank transfer or just get a new bank card issued from the bank. Of course, the government will be taking full responsibility I'm sure.
But surprisingly, none of this is a serious concern to the government, which insists on simply lying about the problems. They promise to investigate though, they promise.
Yes and no - the aadhar agency itself didnt do anything wrong.
This is by design. I believe Nilekani took a long hard look at the trade off between privacy and achievability when creating aadhar and decided to fob off responsibility - moral and practical - to other people.
As a result the agency itself, just provides access to the DB and protects the biometric DB, and gives access to other agencies to use the system.
So the issue is always going to be the many myriad agencies and states connecting to the system, and now also the state databases which are being created.
Now the defense - "It wasn't us but the HVAC guys who had weak security" would have been stupid because they were responsible. They were fined 18.5 million dollars:
So using this kind of logic is like being an ostrich. And UIDAI for better or worse is being an ostrich using the same logic - "It's not us but them" over and over again.
If it wasn't for the mandatory stuff government is doing, people would have ignored and junked Aadhar a long time ago.
Unfortunately, the only person who can prosecute someone for a breach of aadhar is the UIDIA itself.
Dont ignore the value of the design in making the organization survive scruitiny and legal challenge in India.
While all is well and good for citizens in America with their legal system, UIDIA is a creature for India.
I am not making conjecture here, I am making sure people are aware that from the start of the program, its been designed to pass scrutiny and shift responsibility.
>>Dont ignore the value of the design in making the organization survive scruitiny and legal challenge in India.
You have no idea.
Government orgs in India have resisted any technology driven reforms for a long time. Even today you can walk up to the nearest police station and you can see them writing and referring things(running things) out of a real notebook. The campaign to resist use of computers is just mind boggling.
They just don't want anything that enforces accountability through design.
Same goes with tax collection agencies, property taxes are still collected and hand written receipts are issued. In case of an audit you can always come up with 'dog ate my homework' kind of excuses and all the money could be swindled without a trace.
There are only a few places where computers are used(like passport services) largely because not doing so will send you absolutely back to stone age era compared to the remainder of the world. In the past my father tells me the corruption in passport services was so immense, they would sell all application forms to touts and agents. And then the only way to get a passport would be get it through them. And of course they would ask for bribes. Many times its a few hundred rupees per table the file sits on multiplied by the number of tables through which it passes. You do the math.
I heard they were very bitter when computers were bought in and online applications came in.
I think your other post is getting downvoted because you comments can come across as being in support of the fact that -- the only person who can prosecute someone for a breach of aadhaar is the UIDIA itself. It is entirely possible that you are stating a fact but don't support that position, it is not clear if that is indeed so.
Oh dear - I definitely don’t support The program, and have opposed it from day 1. This means opposing it at a time when most of the Indian internet world was not concerned or staunchly pro aadhar.
The program has only served to prove that every informed concern about it has been proved correct.
Also it won’t surprise me if my opinion is unpopular because it opposes aadhar.
I think you'll find that people consider organisations responsible for the actions of their employees, and failure to police their actions is very much the government's fault.
If a Microsoft employee gave people access to your mailbox, and they used it to get $5000 from your bank account, would you consider them responsible ? Because I sure would.
This is a similar situation, except of course, that no Indian citizen has any choice in the matter: they cannot change their ID card provider, nor can they demand banks not give access that way : both have been legislated.
So when banks gave access to criminals with the (official, government-issued, through bribed officials) ID cards of the owners of those bank accounts, I feel like it is very much the case that the government is responsible, in at least 3 ways.
1) it was government officials who gave people access to that bank account
2) the banks tried to stop it, but are legally forced to give access to bank accounts to people holding those ID cards
3) the government is refusing to fix these issues, or secure their side
4) and the least way, the government is supposed to stop criminals. Which they did in a few cases, and did not do in thousands of other cases ...
Unfortunately In this case the govt is already ahead of you.
It was several years ago when the UIDIA and the banks were arguing over who should be held responsible for incorrectly authenticated transactions and govt (aadhar authority) held that it was the banks who would be responsible, not them.
They want it treated like a service with an error rate- responsibility for the big picture is always pushed to the nodes.
This is just indicative that the govt has already built barricades and breaks in order to ensure that the aadhar system and its agency are hard to target.
While you can have public outrage (unlikely since this is technical discussion which can be spun in many ways) which could force the govt to act - mostly it’s going to be NGOs and PILs which deal with aadhar.
Don’t forget that the govt kept this thing alive even though it had no legal backing, and then finally gave it credibility via a money bill.
There’s been no privacy discussion or safe guards discussed legally or constitutionally - we have a SC ruling only Now.
Its unfortunate but the authority was built with many arguments and challenges already anticipated.
Simply put - It is very close to being out and out nefarious.
The main problem is that the government wants provide access to this data to all its departments without any say from the citizens. So they ended up creating login based system for departments that has only crude access controls (view/update etc). They didn't segregate and secure the data by state/village etc. So a single corrupt low level official of any department can just 'share' his login with anyone else (assuming the login is even secure to start with).
If I had to design this, I would have added a two factor access to each citizens data which can only be accessed with their consent. But this model doesn't let the government departments access all the data at will.
If you could do it with 2FA, you wouldnt need to make Aadhar in the first place.
I've followed the program from inception. The real genius lies in 2 things, little of which have to do with tech.
The first genius lies in the design of responsibility and liability of the Aadhar authority.
The authority is impervious to assault legally - it is the only person who can mount a legal challenge on the misuse of aadhar numbers.
The authority also farms out all responsibility of usage of aadhar to "other entities". Thus it can never be held accountable since it only "provides other people a tool". What they do with it, is not the Agency's issue.
This is how its engineers can talk on various privacy channels as being fully for privacy and security, the agency itself can be a secure keeper for the biometric information - but the actual harm being done is farmed out to other agencies who can then take the blame.
For those unfamiliar with the term, "lakh" is 100,000.
So, "These groups targeted over 3 lakh village-level enterprise (VLE) operators" is referring to 300,000 operators. That gives you an idea of the scale here.
Summary: The goal was the create a unique identification number for every citizen. This was largely done, but no effective access controls were installed, such that basically anyone on the system could look up any data and even print fake IDs.
This now makes all the numbers useless, since all the data stored may have been duplicated and the means to produce fakes is already out of the box. Somehow, the world's greatest bastion of humility will not submit to omnipresent technical surveillance - should we be at all surprised? India is famously corrupt. Even with rate limiting, search scope limitation, and other techniques it would appear that such data can never be truly secured.
Things will start moving if stolen Aaadhaar details are used to 'inconvenience' members of the parliament of the party in power. As long as that does not happen you might see some grandstanding at best, nothing concrete will happen.
These concerns were generally met with great hostility; UIDAI has relentlessly pursued to silence people sometimes by threatening them with legal proceedings.
ORF compiled a list of leaked UID numbers (~100 million) sometime back. Many UID numbers were dumped onto the Internet by clueless public servants. UIDAI promptly sent them a cease-and-desist order (or something to that effect).
https://www.youtube.com/watch?v=xU0bTAa_djc
UIDAI was implemented, very un-democratically, first by the former ruling coalition, and is now being promoted to ridiculous levels by the current political elites. All this has been done under the watchful eyes of the billionaire, Nandan Nilekani. He was able to engineer this junk system past both the legislative houses and courts multiple times over the course of the previous decade. UIDAI has only receive mandate well after it was already pushed out onto the people through underhanded tactics.
Usha Ramanathan and others have been following this development from the start. It's increasingly becoming obvious that UIDAI was really only a means for creating a new Orwellian state, where everything can be turned off at the whim of some perturbed politician; where all your phone/bank numbers are at the mercy of some wrathful God in Delhi (and likely as not outside of it). This theory goes well with recent statements coming from the Indian state apparatus about the abolition of cash/untracked assets.