[aiauthoritydev]

India supreme court is bonkers and often known for its BS judgements devoid of logic and law.

Aadhar is "identity", it is not a "card" of any kind though Indians have inherent love for collecting various cards for fun. I have my driving license, PAN, aapar, kisan and state government health insurance cards, labor department id card. I have few more in some drawer.

Once a person gets aadhar, it acts pretty much same as OAuth. You go to a hotel to get a room, Hotel by law is required to verify that your name and face match. You give your aadhar card to them which they scan on their computer and verify that your name matches your face. Because they are a hotel they have right to only verify that.

This is much more privacy preserving than what supreme court did. Because of Supreme Court, hotels no long bother to implement this and instead demand your passport and other identification, scan it and leave it in their system forever. They also are known to sell this data to other from time to time.

The technical idea behind was aadhar was similar to UPI. Government runs the core infra with basic APIs but private companies build apps on top of it. For example, say GPay builds aadhar interface where when you walk into a hotel to reserve a room, Gpay automatically generates a new aadhar number with permissions only to show your name, photo and age. Hotel system verifies that and stores a receipt. If in future government is investigating who stayed in which room, law enforcement can convert these receipts to identification.

This was a better model which would have unlocked a lot of potential. The government failed to argue the case correctly and supreme court acted more like an activist court.

I do think both Government and Supreme Court failed to show the correct user journey here.

[captn3m0]

I’d love to see a citation for a Hotel being legally allowed access to the Aadhaar KUA system, even before the Supreme Court judgement. No hotel in India does this, because Aadhaar as implemented is a “honor based system” for the majority of usecases where a photocopy of a Aadhaar (with or without QR) is assumed to be valid.

In comparison, a Voter ID and PAN are both hologram protected and forgeries are easily detected.

W3C verifiable credentials do not require a singular identity source, they work perfectly fine with multiple issuers.

[sateesh]

Not op,I agree that hotels doesn't do any face matching.

However for getting a new mobile connection the flow is similar to what op has mentioned. It seems one can get a mobile connection by not opting for face recognition, but the process is cumbersome. Similarly for property registrations fingerprints (atleast in some of the states) of the concerned parties is matched against the ones that are associated with their Aadhar.

[captn3m0]

Yes, because Telcos are designated as AUAs, and expected to do a full KYC under DoT regulations. Hotels are not.

I have two SIMs, and I surprisingly got the newer of them in 20 minutes at a remote village in India without an Aadhaar. Telcos do a Liveness check with their phone instead these days.

[arunabha]

> and instead demand your passport and other identification, scan it and leave it in their system forever. They also are known to sell this data to other from time to time.

Isn't this the problem vs the Supreme court judgement? Why does the hotel need to save this data forever?

A simple fix will be to make companies liable for leaks of personal data. That alone will incentivize then to delete personal data as fast as humanly possible.