[shripadk]

> Requiring a government ID to enter a middle school art contest.

Possibly a security measure? Schools are increasingly becoming targets for anti social elements of late. I wouldn't be surprised if the public, on its own volition, pressurizes the government to have stringent security checks in schools.

> Requiring a government ID to buy a prepaid SIM card.

You can't authenticate without Aadhaar OTP. And don't expect the government to send OTP to an unverified mobile number. That would put huge liability on the government if tomorrow you claim that the number never belonged to you. Biometric scanners are not ubiquitous, so the need for linking SIM cards for authentication.

[Zak]

> Possibly a security measure?

What I read in the article sounded like the ID was required to submit an entry to the contest, not to be present in the area. I would need more information to comment on alternate reasons.

> You can't authenticate without Aadhaar OTP. And don't expect the government to send OTP to an unverified mobile number.

Authenticate what? Last time I needed a prepaid SIM card (in the US), I bought it on eBay and provided no information other than a mailing address (not mine).

[shripadk]

By authenticate I mean Aadhaar transaction authentication. Say you are filing your tax returns. There are currently three ways to authenticate that the tax return was indeed filed by you:

1. You take a print out of the acknowledgement, sign it and send it to a centralised tax processing unit.

2. You purchase a digital signature and sign it using the same (requires you to be slightly tech savvy). Not to mention the cost of acquiring the digital signature and the fact that you need to keep renewing it every few years.

3. Just authenticate using your Aadhaar number. An OTP will be sent to your mobile number and you just need to enter the same on screen. Once verified, you have digitally signed and submitted your tax return.

I find option 3 really appealing. This is just one practical example of where one can use Aadhaar and OTP for authentication.

[captn3m0]

I've filed my tax returns with just my PAN card and without using a DSC. This might be different for a registered organization where CAs must handle DSCs I think, but you could file your Individual taxes without printing/using a DSC/Aadhaar by just creating a new account linked to your PAN.

The fact that they used OTP (and tout it as a security feature) is so disheartening.

I am not the SIM card in my phone. Switching legal consent to a mere 6 digit OTP is a terrible idea. Even more so because SMS is unencrypted and terrible way of sending secrets. There is no recourse in the law for someone stealing your phone and signing away your entire property once e-Sign comes in force everywhere.

I'm just tempted to take a large strength antennae and build a Aadhaar-OTP Wardriving tool.

[shripadk]

> The fact that they used OTP (and tout it as a security feature) is so disheartening

I do not anywhere mention it as a security feature. I actually mention that I find it appealing as I don't want to go through the hassle of obtaining a DSC just to verify my returns. Everifying through Aadhaar is simpler. To expect someone to hack it is quite remote as it would require knowledge of multiple things: my Aadhaar number, access to my network, knowing the date and time of when I decide to file my returns, having to utilise the OTP before i use it or it expires. It's possible for a really concerted attacker but then I start to question his sanity. It's much easier to just break into my home and get me to sign at gunpoint. ;)

[shripadk]

I should have been more clear. I'm talking about after filing of returns. You have to verify it. It's either sending the signed acknowledgement to CPC or everify it digitally. Have you sent the signed acknowledgement to CPC? It's mandatory to send acknowledgement to CPC if you haven't digitally signed it using DSC or Aadhaar. Please check with your CA as the rules are same for personal and corporate income tax.

EDIT: Procedure to verify your submitted tax return: https://www.hrblock.in/guides/itrv-download-guide/

[captn3m0]

Ahh, thanks for the clarification. My bank supported e-Verify (EVC on the link you gave) via netbanking so it worked out.

Apparently, there are other EVC methods as well (ATM/mutual fund)

[shripadk]

> There is no recourse in the law for someone stealing your phone and signing away your entire property once e-Sign comes in force everywhere.

I agree with you on this. Currently however, this is how it is with everything online. Take any 2-FA service. It's either SMS based or through Google authenticator/yubikey etc. To expect non tech savvy people to use yubikey or Google authenticator is going to be a hardsell.

> I'm just tempted to take a large strength antennae and build a Aadhaar-OTP Wardriving tool.

Hahaha! Provided you know the Aadhaar number for the associated OTP as well ;)

[captn3m0]

I agree that the alternative is not great either. But when you design a system for a billion people, you need to take into account how easily people can be phished in India for OTPs.

Wardriving Plan:

1. Google for '"Mera Aadhaar, Meri Pehchaan" filetype:pdf'

2. Find someone working at UIDAI on that list

[iguy]

prepaid SIM card (in the US), I bought it on eBay

This is highly unusual now. For instance most countries in Europe will now need to see your passport to enable a SIM card. So India isn't an outlier. The stated reason, I believe, is terrorism. Whether this is Orwellian I leave for you to decide.

[Zak]

Yes, that's highly Orwellian and terrorism is an absurd justification. Anybody capable of pulling off a terrorist plot requiring a phone is likely to be able to find a way to get one without such a regulation making a problem for them.

What it does enable is surveilling a person's location and some of their communication without having to do something requiring resources and the possibility of alerting the person that they're a target.

For the record, it's not unusual to be able to buy and use a prepaid SIM card anonymously in the US. There have been a couple proposals to ban it, but they came nowhere near passing.

[iguy]

Sorry, by "highly unusual" I meant more an outlier among countries (in which I've bought sim cards).

I guess I now assume it's all so tracked as not to matter much one way or the other -- it's not like the NSA can't connect your ebay account to your name. Asking for ID just saves them a few CPU cycles, reducing everyone's carbon footprint :)

[Zak]

I think they'd have to work a bit harder than that.

Even assuming they have continuous access to ebay, telco and mvno systems, they probably don't have continuous access to the computers of the individual reseller who's selling preloaded SIM cards. This is almost certainly one guy working out of his house.

No doubt, the NSA could hack that guy, but they'd have to do so deliberately. The connection necessary for mass surveillance is broken at this point.

[fgpwd]

That's not how it works. Your aadhar account is linked to one number. Why do you need to link all your numbers to your aadhar?

Besides the link is not two way. Case in point - a friend forgot to recharge their phone. The phone went out of service. Another person got the phone and started getting my friend's aadhar otps. Even though they got the phone using their own aadhar number. The "link your phone to aadhar when you need a new connection" has got nothing to do with "link your aadhar number to your phone in order to get authentication OTPs".

They are two entirely different processes.

[captn3m0]

I have a recycled SIM which I legally own, which is linked to the prior owner's Aadhaar.

It will remain linked even if I link my SIM with my Aadhaar. (The Aadhaar->SIM mapping which the government uses is maintained by UIDAI and is not given out, the SIM->Aadhaar mapping which is mandated by DoT is maintained by KYC-regulations of my telecom provider at the telco level)

[fgpwd]

Exactly. This has happened to a friend. They were able to find my friend's name from Truecaller. Soon they started getting fake calls to get her account number or aadhar number. If my friend's aadhar data had been leaked (as has for thousands other), they were done for. Once your aadhar number gets leaked it gets leaked forever. There is no provision for the government to issue a new one and which is a fundamental flaw in the system.

[Zak]

There are KYC regulations for telcos? Found the Orwellian part.

[captn3m0]

Yes, these have existed for quite some time. However, you could get one with varying different ID proofs earlier - Driving License, Ration Card, PAN (Tax) Card, Voter ID etc.

Now, we're all being forced to link _everything_ to a single 12-digit Aadhaar.

[Zak]

What justification is given for this?

[captn3m0]

As per lawyers, the justification for Aadhaar-linkage is very slim[0], but the government is pushing telcos to link so it is happening.

The events:

1. Supreme Court asks DoT in a regular about the status of KYC for telcos and asks for all SIMs to be compliant within a year

2. DoT (department of telco) rewords the above a "direction" (it was not binding till then) of the SC and makes Aadhaar-KYC mandatory (when the original order did not mention Aadhaar in any way, just KYC)

As for the original KYC-law, I'm not entirely sure, but it has existed for decades now.

[0]: https://www.huffingtonpost.in/chitranshul-sinha/no-the-supre...

[Zak]

It's more the original KYC law I was asking about. I find the attempt to deprive people of anonymous communication problematic and I'm curious as to the arguments that have been used successfully to do it so I can better argue against them.