[thetruthseeker1]

I disagree with the assessment. It seems like any form in which the government tries to identify you is being compared to the scary Orwellian dystopia. There is no cost benefit analysis. Sure it could be misused, however it can also be used in a super beneficial way. India is a country where some Indians have never obatained birth certificates, there was no equivalent SSN system, often resources are poorly distributed because there are scams where a person claims to be somebody else or there is no clear identification system, all of this significantly affect the GDP and the rate at which people’s std of life is improved. I think if it gets misused , then the solution to that is regulation and better management, not no collection.

[Zak]

I think it's a mixed bag.

Not Orwellian:

* Requiring identification to get welfare benefits. The article mentions fraud is a big issue.

* Use of biometrics. It sounds creepy at first, but without a robust system of record keeping to base the ID card on, this is a good way to ensure each one is unique.

Orwellian:

* Requiring a government ID to enter a middle school art contest.

* Requiring a government ID to buy a prepaid SIM card.

[captn3m0]

>The article mentions fraud is a big issue.

When tackling fraud, you must look at 1)exclusions and 2)cost.

In the case of aadhaar, we've seen the project baloon in cost and vision over the span of two different governments. There have been savings number reported by the government that have since been redacted by the World Bank (but the government keeps claiming them). At some point, you must take stock and consider if the amount you are spending to tackle fraud in the system - is it worth it?

Also, Aadhaar is not a fraud-proof system. The most common type of subsidy-fraud (for food benefits) is quantity fraud where the shopkeeper would sign away 5kg, but only give you 4kg (and sell the other 1kg at a higher rate on the market). There is nothing in the aadhaar system that prevents it (and other kinds of fraud)

Second: Exclusions. Jharkhand, with the highest rate of authentication failures has had multiple deaths. Due to how the system works now (you receive benefits in your bank account instead of directly getting subsidized rations), it requires double the effort (which converts to one-fewer working/earning day because of the extra bank trip).

https://thewire.in/rights/jharkhand-nagri-ration-pds-direct-... is a harrowing read, if someone's interested.

>* Requiring a government ID to enter a middle school art contest.

We've gone beyond this. Nursery schools in india for toddlers now demand aadhaar numbers of both parents and the kid.

[thetruthseeker1]

What is your solution ? It kind of seems like Aadhar should be better managed... rather than reinvent another identity system, sure I am optimistic that Aadhar will improve (Its a very new system compared to SSN or other identity systems)

Regarding ballooning costs, so many successful programs have had costs that exceeded the plan, so far with Aadhar there has been no evidence that the ballooning costs have been debilitating and on the contrary Aadhar seems to be helping.

[captn3m0]

I'm just a security researcher, and unfortunately I don't have any concrete suggestions. I'm hoping that the Supreme Court takes a favorable approach to this madness and limits the damage (by asking the government to stick to its 2015 order which limited mandatory usage of aadhaar to 3 schemes only, for eg).

On balooning costs - Yes, the scope has vastly increased:

1. it was supposed to be a YES/NO boolean API, which has since become a complete eKYC API giving third parties access to your data

2. State resident data hubs that maintain a copy of your biometrics and data to enable state level surveillance

3. Pushing of mandatory linkages has cost us thousands of crores already.

(and more that I'm missing - this is early morning IST now and I'm getting sleepy). A lot of this should not have been allowed in a scheme that was passed in the parliament as a "Money Bill". The helping part is non-proportional to the expenditure which we've seen - this is under purview in the SC hearing as well.

[thetruthseeker1]

I am sure that I can find flaws in some of the best identity systems in the world - but I am not sure if just finding faults make a good discussion hence I am not going to do that (in addition to not want being labeled a cynic).

Also when you say the costs are not proportional to the benefits... I don’t know if it needs to be proportional, also is there a well researchered study that talks negatively about the overall value provided - I find that hard to believe ?

Usually legislature is free to spend money on programs as long as it is not against the law or constitution and judiciary can’t interfere on such matters. I don’t know what is in the scope of S.C w.r.t Aadhar - I can see some kind of violation of civil liberties within its scope... but I can’t see how cost benefit analysis is within SC’s scope. So I may not comment on it until it plays out.

[hesarenu]

India spends a lot of money on roads which should have last year's but fails every monsoon. Aadhar expenditure might be a small blip compared to those.

Govt were anyway required for most things in India. This is just another card. The main issue would be accepting it without finger verification.

[Zak]

The parts that sounded reasonable sound less so given this context.

[captn3m0]

It is guaranteed to get worse if the Supreme Court doesn't step in. For eg - Aadhaar enabled payments are on their way, and there is a push from the government to get Aadhaar authenticated ATMs out (fingerprint based). Think of what happens when your Aadhaar is disabled? We've already had people die on hospital entrances because they couldn't find the patient's Aadhaar[0], now we're moving closer to a guaranteed civil death.

The state of Telangana, for eg is turning into a over-policed state with:

- The state police maintaining a copy of the Aadhaar Data[1]

- And using it to geo-tag each resident[2]

- And track petty crimes using aadhaar[3]

Our only hope at this point is that the Supreme Court gives a favorable verdict.

[0]: https://timesofindia.indiatimes.com/city/chandigarh/hospital...

[1]: http://srdh.telangana.gov.in/tgsrdh/DataSeeding.html

[2]: https://twitter.com/digitaldutta/status/958251786803994624

[3]: https://timesofindia.indiatimes.com/city/hyderabad/aadhaar-l...

[hesarenu]

Why are you blaming Aadhar instead of hospital. What kind of hospital turncoat aways critical patients. Btw the hospital in my area were not accepting card payments before demonization. They wanted only cash.

[shripadk]

> Requiring a government ID to enter a middle school art contest.

Possibly a security measure? Schools are increasingly becoming targets for anti social elements of late. I wouldn't be surprised if the public, on its own volition, pressurizes the government to have stringent security checks in schools.

> Requiring a government ID to buy a prepaid SIM card.

You can't authenticate without Aadhaar OTP. And don't expect the government to send OTP to an unverified mobile number. That would put huge liability on the government if tomorrow you claim that the number never belonged to you. Biometric scanners are not ubiquitous, so the need for linking SIM cards for authentication.

[Zak]

> Possibly a security measure?

What I read in the article sounded like the ID was required to submit an entry to the contest, not to be present in the area. I would need more information to comment on alternate reasons.

> You can't authenticate without Aadhaar OTP. And don't expect the government to send OTP to an unverified mobile number.

Authenticate what? Last time I needed a prepaid SIM card (in the US), I bought it on eBay and provided no information other than a mailing address (not mine).

[shripadk]

By authenticate I mean Aadhaar transaction authentication. Say you are filing your tax returns. There are currently three ways to authenticate that the tax return was indeed filed by you:

1. You take a print out of the acknowledgement, sign it and send it to a centralised tax processing unit.

2. You purchase a digital signature and sign it using the same (requires you to be slightly tech savvy). Not to mention the cost of acquiring the digital signature and the fact that you need to keep renewing it every few years.

3. Just authenticate using your Aadhaar number. An OTP will be sent to your mobile number and you just need to enter the same on screen. Once verified, you have digitally signed and submitted your tax return.

I find option 3 really appealing. This is just one practical example of where one can use Aadhaar and OTP for authentication.

[captn3m0]

I've filed my tax returns with just my PAN card and without using a DSC. This might be different for a registered organization where CAs must handle DSCs I think, but you could file your Individual taxes without printing/using a DSC/Aadhaar by just creating a new account linked to your PAN.

The fact that they used OTP (and tout it as a security feature) is so disheartening.

I am not the SIM card in my phone. Switching legal consent to a mere 6 digit OTP is a terrible idea. Even more so because SMS is unencrypted and terrible way of sending secrets. There is no recourse in the law for someone stealing your phone and signing away your entire property once e-Sign comes in force everywhere.

I'm just tempted to take a large strength antennae and build a Aadhaar-OTP Wardriving tool.

[shripadk]

> The fact that they used OTP (and tout it as a security feature) is so disheartening

I do not anywhere mention it as a security feature. I actually mention that I find it appealing as I don't want to go through the hassle of obtaining a DSC just to verify my returns. Everifying through Aadhaar is simpler. To expect someone to hack it is quite remote as it would require knowledge of multiple things: my Aadhaar number, access to my network, knowing the date and time of when I decide to file my returns, having to utilise the OTP before i use it or it expires. It's possible for a really concerted attacker but then I start to question his sanity. It's much easier to just break into my home and get me to sign at gunpoint. ;)

[shripadk]

I should have been more clear. I'm talking about after filing of returns. You have to verify it. It's either sending the signed acknowledgement to CPC or everify it digitally. Have you sent the signed acknowledgement to CPC? It's mandatory to send acknowledgement to CPC if you haven't digitally signed it using DSC or Aadhaar. Please check with your CA as the rules are same for personal and corporate income tax.

EDIT: Procedure to verify your submitted tax return: https://www.hrblock.in/guides/itrv-download-guide/

[shripadk]

> There is no recourse in the law for someone stealing your phone and signing away your entire property once e-Sign comes in force everywhere.

I agree with you on this. Currently however, this is how it is with everything online. Take any 2-FA service. It's either SMS based or through Google authenticator/yubikey etc. To expect non tech savvy people to use yubikey or Google authenticator is going to be a hardsell.

> I'm just tempted to take a large strength antennae and build a Aadhaar-OTP Wardriving tool.

Hahaha! Provided you know the Aadhaar number for the associated OTP as well ;)

[iguy]

prepaid SIM card (in the US), I bought it on eBay

This is highly unusual now. For instance most countries in Europe will now need to see your passport to enable a SIM card. So India isn't an outlier. The stated reason, I believe, is terrorism. Whether this is Orwellian I leave for you to decide.

[Zak]

Yes, that's highly Orwellian and terrorism is an absurd justification. Anybody capable of pulling off a terrorist plot requiring a phone is likely to be able to find a way to get one without such a regulation making a problem for them.

What it does enable is surveilling a person's location and some of their communication without having to do something requiring resources and the possibility of alerting the person that they're a target.

For the record, it's not unusual to be able to buy and use a prepaid SIM card anonymously in the US. There have been a couple proposals to ban it, but they came nowhere near passing.

[iguy]

Sorry, by "highly unusual" I meant more an outlier among countries (in which I've bought sim cards).

I guess I now assume it's all so tracked as not to matter much one way or the other -- it's not like the NSA can't connect your ebay account to your name. Asking for ID just saves them a few CPU cycles, reducing everyone's carbon footprint :)

[fgpwd]

That's not how it works. Your aadhar account is linked to one number. Why do you need to link all your numbers to your aadhar?

Besides the link is not two way. Case in point - a friend forgot to recharge their phone. The phone went out of service. Another person got the phone and started getting my friend's aadhar otps. Even though they got the phone using their own aadhar number. The "link your phone to aadhar when you need a new connection" has got nothing to do with "link your aadhar number to your phone in order to get authentication OTPs".

They are two entirely different processes.

[captn3m0]

I have a recycled SIM which I legally own, which is linked to the prior owner's Aadhaar.

It will remain linked even if I link my SIM with my Aadhaar. (The Aadhaar->SIM mapping which the government uses is maintained by UIDAI and is not given out, the SIM->Aadhaar mapping which is mandated by DoT is maintained by KYC-regulations of my telecom provider at the telco level)

[fgpwd]

Exactly. This has happened to a friend. They were able to find my friend's name from Truecaller. Soon they started getting fake calls to get her account number or aadhar number. If my friend's aadhar data had been leaked (as has for thousands other), they were done for. Once your aadhar number gets leaked it gets leaked forever. There is no provision for the government to issue a new one and which is a fundamental flaw in the system.

[Zak]

There are KYC regulations for telcos? Found the Orwellian part.

[captn3m0]

Yes, these have existed for quite some time. However, you could get one with varying different ID proofs earlier - Driving License, Ration Card, PAN (Tax) Card, Voter ID etc.

Now, we're all being forced to link _everything_ to a single 12-digit Aadhaar.

[Zak]

What justification is given for this?

[8note]

are those really orwellian though?

they could make an orwellian system on top of it where they destroy government IDs to unperson you, but in and of itself, those aren't very orwellian.

[selimthegrim]

Given what’s going on with the population register in Assam and certain groups right now, this is not a groundless fear at all.

[intended]

There is a cost benefit analysis, and many people have shown that the govt figures are incorrect, and that Aadhar has not had an impact.

I am fully sincere about it.

Straight up Aadhar has hurt our constitution. IT was initially run without ANY legal protections or aegis.

Later it was retroactively Okayed via a money bill.

It has rarely been used for its intended purpose, but instead it has terminal feature creep and support from the state to enter every sphere of life.

The state govts are now making their own mirrored data bases of Aadhar data, which last I checked is not covered by the Aadhar law.

The aadhar agency is the only agency which can take cognizance of Aadhar offenses - making the agency its own judge and jury.

Aadhar was never meant for scam protection or prevention - take a look at the claims of the Aadhar agency.

They use clever tactics to appear to be enablers, but when put on the spot they reduce their job to "we just authenticate biometric requests" - moving the onus and responsibility for any leaks or misuse to other agencies.