[newscracker]

I'm leaving aside the certificate issue for a moment since others have mentioned it. This solution is a great way for hackers and phishers to collect a lot of personal information. Perhaps this is done with very good intentions, but is really poorly thought out. I wonder who architects these solutions and how they think.

See the following question in the FAQ (I've edited it for brevity with ellipsis and emphasized important parts). [1]

>Q11 How can I share the e-documents in my digital locker?

>A11 For sharing your e-document...enter the email address of the recipient in the dialog box and click ‘Share’ button.

>The document will be shared with the recipient via email. ...email body will have the URI link of the document and the sender name and Aadhaar number. The recipient can access the document using the URI link provided in the email.

So:

1. You share your document, which is sent over plain text email.

2. The recipient can access it just with a link. There is no authentication or verification of any kind.

3. The recipient can forward the mail to data collectors so they can immediately get your name, your Aadhaar number and the document. There is no link expiry, which allows perpetual abuse of information by forwarding emails. This technology makes selling information a lot simpler and quicker.

4. Someone else's email account gets hacked? Thousands or millions of names, Aadhaar numbers and documents could be out on torrents soon enough. Talk about government enabling things through technology.

Even if you trust the government to store all your documents, even though some may be issued by local authorities, this looks more and more like a comprehensive and centralized data collection mechanism. The next step, which may or may not be disclosed, would be to provide access to every government entity to query this database without any control or limits or oversight. For a country without any privacy laws, they already have your biometric information, now they can completely own you. :)

[1]: https://digitallocker.gov.in/Resources/FAQ-Digital_Locker_v0...

[arihant]

No, no, no. The link they send requires Aadhaar verification, your will get an OTP, which you will give to the agency. They can get the copy of the document only if they provide the right OTP. It is the same way you are logging in to this website.

The whole UID infrastructure is two-factor auth by default. Think of the URI like Facebook Graph API URLs. They are static, REST-ful endpoints that require two-factor authentication.

While there are no strong laws to protect scans of your IDs, the biometric data does come under The Privacy Bill, 2013. So does any identification typically used by financial institution. Your other IDs, like Voter ID are public information anyway, except for biometric identifiers.