Some clarifying info, since the title is kinda clickbait—the AADHAAR card doesn't have any biometric info for it. It just has a number. The biometric info lies with the government who can then authenticate an individual based on it.
This whole AADHAAR linking business has been a point of contention in India over the last year as the government is slowly mandating linking your AADHAAR number with all kinds of contracts and services, from rental contracts to telecom providers to bank accounts.
If anyone deserves blame for this kerfuffle, it's the government.
Aadhaar is interesting to watch, given America's debate over using social security numbers for the same purpose, and how to replace that in the wake of Equifax. It seems like the winds are starting to align for us to have something like Aadhaar, so it's interesting to see Indian reaction to it.
SSN for services is par for the course in the US. My cable company has mine.
Because a lot of services don't work without trust. Credit rating agencies are the Certificate Authorities of the physical world.
To give an example, a company will hand you a $1K smartphone for as little as $20. The only guarantee they have that you'll pay the remainder is that you have a history of doing so, they gather this history from credit ratings agencies.
In order for you to be uniquely identified they need a unique identifier. Even full name + birth location + birthdate may not be unique given enough data-points.
SSNs aren't fit-for-purpose. But the purpose of uniquely identifying an individual is a valid one and likely a hole that will need to be filled one way or another (and there are many good concepts to replace SSNs).
That seems like an unsatisfactory explanation. In Germany, for example, although we have a national ID card with a number, that number is almost never necessary to get a service. They seem to manage without it. The only institutions regularly demanding it are the state itself and banks.
So no, a national ID is not necessary for the purposes of creating trust.
But this doesn't seem responsive to the point. If I pre-pay for my phone and service, why does Verizon still demand my SSN and other data? Why do they even care who I am?
I bought an unlocked Android phone from Target, and use T-Mobile prepaid. They don't have my SSN, and didn't even have my name til I paid for some minutes via the website. (Now I pay by CC every month, but oh well, not real important to me.)
Cable service can certainly work without trust. Most of the services are fixed-price, and you can use your own equipment. There's no reason this can't be prepaid anonymously.
What the cable company usually does genuinely need is a physical location, which isn't very good for someone with hardcore anonymity needs like a criminal or a spy, but fine for those of us concerned with needless data leakage.
Most institutions in the UK demand a passport or driving license.
You need a birth certificate to get a passport [1]
You need a passport to get a driving license [2]
In order to vote you need a national insurance number [3], which is issued to you on your 16th birthday, via your guardian's/parent's electoral registration information.
Ergo a birth certificate is a de-facto national ID (or immigration documents)
And many many don't. It's not a requirement to have a passport or driving license to open a bank account, or to sign up with a credit agency (although many/most lenders will want some ID to actually lend to you).
I don't have a british passport, a british drivers license, but I do have a NI number. I can vote, I can open bank accounts, I can get amazon parcels, I can do normal daily things without them. The only people who have my NI number are 1) the electoral register, 2) my employer, and 3) hmrc (as far as I'm aware at least).
I've not shared it with Amazon (who are the company mentioned in the post), or with my utility provider, or with my broadband provider. I've also not given them my passport or drivers licence, and yet they all seem perfectly capable of verifying I am who I say I am, all without me having any form of national ID.
I 90% agree, with the 10% exception that most cable companies admit you to the Internet, so under current legal frameworks for handling stuff that genuinely shouldn't be on the Internet, a case can be made that they need to know who you are. Not saying that's right, saying it's probably best at the moment. Granted, they also have a service address, and the clever ones can proxy up, but...
You state yourself that the ISP also has the service address, and it's also clear that everybody in the house is using the internet connection, not just the person who is paying the bill.
So identifying the customer provides the ISP with neither the identity of the person using the internet connection, nor any more information (than the service address) about how to locate the person using the internet connection.
So, even if you believe it is right and proper that ISPs are deputised to track down internet users on behalf of the government: why is it advantageous that they identify their customers?
Um, if someone drops a bunch of child pornography from your Comcast account, very upset people in suits are going to talk to (and very likely arrest) the accountholder, which is you, first. An accountholder is responsible for what takes place using the service, just as if you were to hand your phone to someone and they call in a bomb threat, or you lend your friend your car and they go rob a bank with it. They're going to talk to you first, and your house doesn't matter. That's not "deputization." That's accountability for actions utilizing a service that is able to touch other people. That identity is not revealed until an alleged crime meets the minimum bar to subpoena the provider. Nobody is asking Comcast to go looking for you.
I'm not sure what logical point you're trying to make. They've identified the user of the Internet connection; the user is the accountholder. The strong identification of that accountholder follows them if they disappear, which is useful for both receivables and security/LEO. That's the advantage.
Most people using cable also are using rented equipment, you would have to buy your own cable box, dvr, and modem if you want to go completely pre-pay.
> you would have to buy your own cable box, dvr, and modem if you want to go completely pre-pay.
Which I consider - independently from this discussion - as a very good idea. Indeed: In Germany when getting a Digital Subscriber Line most providers will also give you the option to rent the router or modem. But nearly all subscribers know that increasing running expenses this way is nearly always a bad idea, so they know that one should better buy some decent router/modem that one owns.
If you pay for the service after consuming it, you are by definition using a line of credit.
For cable you'd have to load a prepaid balance into your account, from which the the cable provider could debit by usage. As soon as the balance hits 0, service is shut down.
With verizon FiOS I am billed at the beginning of the month and yet I still had to hand over my SSN. Who else am I going to go to, Comcast? I paid for the first month's service when I signed up and I pay for each month before the beginning of the month. For example, I paid for 11/02 to 12/01 on or before the due date which was 10/27. In other words, I paid for the month of November before November began. I have no Verizon equipment. The ont was already here when I moved here. I bought my own modem/router. I can provide proof if you don't believe me.
The poor can borrow money from source (yes, divulging their identity to that one source, and paying interest) and buy products in cash from all their vendors.
Lending to the poor not only barely happens, it’s a market overrun with predatory lenders. I remember an ad that used to run on late night TV that buried something like 150% APR in the fine print, attempting to avoid US regulation by nature of being operated on a Native American reservation.
Who took them down, you ask? That oh so useless CFPB.
Edit: Here they are. Look at the image of this woman’s loan:
He didn't say that the rich automatically get privacy and the poor don't. He said that the rich can afford privacy. The poor cannot afford it even if they desire it.
I've long since resigned myself to the fact that getting privacy is a struggle and costs money, and most people won't bother.
It’s not exactly the same. Authentication with SSN is simple - SSN + date of birth/name/mother’s maiden name. All of these are immutable so you’d better hope that any firm that collects this information is careful with it. With Aadhaar, authentication is marginally better - either with biometrics (fingerprint or retinal scan) or with an SMS OTP. Identity fraud is still possible but it isn’t scalable, thankfully.
There is still a concern though. If every service that you consume uses Aadhaar as a primary key, it becomes trivial to track the movements and activities of every citizen. I’m certain that for a fee to a shady person you’d get a dossier of places a person has been, where they’ve stayed, who they’ve spoken to, what they’ve spent money on. That’s not theoretical - you can get this info on a Chinese citizen today for less than $100 if you know whom to talk to.
Because you'd have to clone SIM cards / otherwise gain access to someone's text messages instead of just using a bulk list of "secret question" answers.
All tied to the Infineon TPM being broken and apparently nobody bothering to audit it before -- I don't know -- buying cards with it for your whole country?
And to think that people still believe in the secure online voting utopia. As long we will rely on humans to write the code, verify, and patch the online/electronic voting systems, they'll never be secure. So you might as well get them off your mind.
> and how to replace that in the wake of Equifax. It seems like the winds are starting to align for us to have something like Aadhaar
That was the point of the Equifax hack. To push biometrics. They have been itching for the mark since way back. It's getting close.
Did you ever get the felling you're being followed?
Are you not familiar with the Revelations of St.John
The final book of the Bible, prophesied the apocalypse
He forced everyone to receive a mark on his right hand
Or on his forehead so that no one shall be able
To buy or sell unless he has that mark
Which is the name of the beast and the number of his name
And the number of the beast is '6 6 6'
What can such a specific prophecy mean?
What is the mark?
Any private entity demanding Aadhaar from its users/customers is putting them at risk. So no, some blame goes to companies that have started demanding it.
How does this work exactly, I didn't entirely follow by just reading the article. Does Amazon verify the ID with the government directly?
If so, then that basically means the government knows who you are shopping with. That's all sorts of overreach. Unless it's for tax purposes, I don't see why the government needs to know who you choose to buy from. What if someone buys from a controversial source - does the Indian government really need to know what sort of porn companies someone purchases from?
And if it's just an ID, then how does Amazon know that someone hasn't stolen the ID and just provided it for identity fraud? Or do you also have to provide some sort of biometric verifier also? Either case sounds pretty fraught with difficulty.
In Australia, everyone has a Tax File Number. It's not that well known, but retailers who ask for the TFN are breaking the law and will be fined a huge amount of money.
I _think_ what's going on is that they asked for the Aadhaar card as a "Photo ID". If you read the chat, the AMZN link that the rep points to asks for a place to upload a Photo ID. The Aadhaar card does function as a Photo ID as it has your picture and name on it. So it's similar to being asked to upload your Driver's License as a photo ID. It's possible that Amazon India has a policy of asking for Photo ID for investigating any complaints about big purchases because of fraud (I could just claim that I didn't get the phone). Since this user bought a Samsung Galaxy J7 Prime, it was probably greater than the threshold where the photo ID requirement was mandated. It's also possible that this user account was flagged as a suspicious user.
Either way, the whole biometric scare in this case is nonsense.
That's an interesting observation, and it's possible to see how different cultures deal with anonymity. For a Brazilian, giving out a personal ID for (almost) anybody is a matter of fact.
In Brazil we have a tax number (CPF) and one or more personal ID numbers (state police RG, federal drivers license, passport, etc) which are roughly on the same level regarding personal identification, but which don't matter for tax purposes.
It is mandatory to give your CPF to merchants when they have to invoice the customer, as you (or your CPF) will be one of the parties in that commercial contract. In the case the customer is present in a retail transaction, the retailer can just give you an anonymous receipt. In some states, the customer can give their CPF in order to get some tax refunds.
In either case, an electronic copy of the invoice is sent to the government to account for the taxes, and the invoice must detail exactly what was traded between merchant and customer.
Besides all that, usually you have to identify yourself with both CPF and a personal ID, perhaps leaving a photocopy of both documents, as the CPF number just says you are a taxable personal entity, but it doesn't positively identify a person, as the tax authorities doesn't store any biometric information. The polices (state and federal), on the other hand, have photos, signatures and fingerprints.
Why would a retailer ask for it? I don't think I've been asked for my NI number (the UK equivalent) by anyone except people dealing with my tax (including banks) or by the government directly when registering for services.
Its I believe highly illegal when I worked for BT in the UK misuse of NI numbers was a very serious gross misconduct offence - we go read the riot act over this it was almost as bad as corruptly looking up data on individuals info - say the queens private number ;-)
Amazon can verify this identity using a Govt provided API. The verification can be performed with or without holder's knowledge.
There are multiple issues with this identity. The Govt is using private players to enrol the residents into this platform. There were multiple instances where people paid bribe to get multiple IDs in different name. And, the enrolment agencies with MoU with Govt can keep the data of residents, including biometric data. There is even a search facility available with around 1500 users who can search any details about 1bn+ people.
Above all, if your ID is misused, you can't approach courts. You can lodge a complaint with Govt call center. Only Govt, after investigation, can approach a court on your behalf. Other option is to approach a constitutional court directly, which is expensive.
The Supreme Court is supposed to take up this issue sometime in the near future.
TFNs are weird. You legally don't have to give them to anybody. I have a TFN declaration form sitting in front of me here at work, and it says specifically "It's not an offence not to quote your TFN".
You can just not give your employer your TFN, and they'll withhold your tax at the maximum rate, and you can get a bunch of money back after your tax return. Your TFN is just a way for the ATO to figure out how much tax to withhold so your tax return is more correct.
Anyway, Australia and New Zealand are interesting, in that there is no single number that maps to a person. You can use your drivers licence number, or your passport number, or your TFN/IRD number, depending on the situation.
When they introduced photo drivers licences in New Zealand, there was concern in them turning into a de facto national ID card.
There are however, legal restrictions around who can collect a TFN and what it can be used for.
Section 8 of the Privacy (Tax File Number) Rule 2015:
TFN recipients must only request or collect TFN information from individuals and other TFN recipients for a purpose authorised by taxation law, personal assistance law or superannuation law.
(2) When requesting an individual’s TFN, TFN recipients must take reasonable steps to ensure that:
(a) individuals are informed:
(i) of the taxation law, personal assistance law or superannuation law which authorises the TFN recipient to request or collect the TFN
(ii) of the purpose(s) for which the TFN is requested or collected
(iii) that declining to quote a TFN is not an offence
(iv) about the consequences of declining to quote a TFN
(b) the manner of collection does not unreasonably intrude on the individual’s affairs, and
(c) the TFN recipient only requests or collects information that is necessary and relevant to the purpose of collection under applicable taxation law, personal assistance law or superannuation law.
huh? what does goverment mandates to link aadhar to bank accounts have to do with an Amazon policy to insist on it to track lost packages?! (the government policy is being challenged in the Supreme Court, fwiw)
There are two aspects to this. Aadhaar is a photo ID and hence can be used as photo ID by anyone wanting (or mandated) to do so. That includes companies like Amazon.
So 'Amazon asked my biometric data' is just complete bullshit. It didn't.
On the other hand, it's the government that has normalized the association of Aadhaar to every aspect of your life. The fact that it's been contested in the SC does not change that. It's in that sense that I am giving them blame.
The slippery for aadhar card is on full display here. Few years back when this biometric identity card was introduced the government promised not to make it mandatory and now your cannot even shop online without this card.
That's not true at all. You can buy anything shipped from within India without providing any documents. Amazon requires id/address proof only when the item is shipped from abroad, and that's only because customs requires it. And you have the options of:
a) Providing the proof to the courier instead of amazon
b) Providing a different address proof like voter id
If I'm being honest I would much rather have the government use something like a public biometric ID number that uses biometrics to validate the number rather than a broken SSN. I mean we already give our fingerprints to the DMV, and to the Customs/Immigration desk when coming back from an international flight.
In today's world not only is SSN vital to everyday life, it is also ironically one of the least secure means to establish ID. Having your SSN out in the public is potential financial ruin, and we generally need to hand out that number to various private organization, and individuals. And if the Equifax leaks are any indication SSNs are the weakest link in society.
Biometrics can be trusted only as far as one can trust the source of the biometric info being provided. If you're getting biometric info as digital images, you'd have to be sure the images came directly from the person, only for this validation, and (if you want to use this validation for authentication) voluntarily.
The first two can be achieved only if the biometrics are given straight to the government's biometric verification authority, instead of whatever service needs to verify your id taking them and passing them on to the government. The latter is like giving your Facebook username and password to a third-party just so they can verify your Facebook account, the former is like an SSO service.
I have not seen a single SSO-like implementation of biometric Aadhaar verification in India.
And, of course, the third requirement cannot be fulfilled; biometrics are not passwords.
No. Biometrics aren't passwords. They're identification. Just as your picture identifies who you are.
As for the later part I feel that, again, the DMV already takes our biometric data, and I would think the same could apply for people in India. Someone is issuing passports, someone has to create valid means of identification. I mean how else is the government dispensing welfare, social aid, or making sure they're accounting for taxes properly.
Looking at how the Aadhar authentication process works indeed the biometric data is being validated by the government.
>I mean we already give our fingerprints to the DMV, and to the Customs/Immigration desk when coming back from an international flight.
I'm not sure what country you live in, but US citizens most certainly are not required to give their fingerprints to the DMV or Customs/Immigration when flying internationally.
There's more than 50 American DMVs, all the states plus DC and each of the territories have their own. Do you really think you know everything about all the requirements for an ID for all of them to make such a statement?
I recall my thumbprint being collected in CA (in the peninsula). It's been a few years. I remember it because I found it somewhat disturbing that they collected thumbprints. The CA DMV web site confirms this practice:
"Fingerprints, including thumbprint, are collected by DMV for added security to your driver license information"
If your experience is different (I may be misreading your response), maybe it varies by office or it's been a while since you've registered in a DMV office in CA?
That's disappointing. At least it sounds like an interesting edge that Indian shopping services can use to attract privacy conscious consumers... until the government requires its use everywhere.
TIL that slopes, positive or negative also need to account for the wind vector and the friction. Low friction and prevailing wind can allow one to slide uphill. It isn't the slope per-se but the energy in the system.
Amazon only requires id when you order from Amazon Global, and that's because customs requires Indians to provide identity and address proof when you're importing something. If you don't want to provide it to Amazon, you have the option of providing it to the courier service (FedEx/Aramex/whatever). Also, you can provide any other address proof like driving license, electricity bill, voter id etc. Aadhaar is convenient because it is one of the few documents that are accepted as proof of both identity and address (passport, driving license, voter id and ration card are the others).
Amazon is not asking for any biometrics. They are asking for your Adhaar number. The government has an authentication API that can confirm your identity for Amazon using the number. They can do this authentication by email, by phone, or by fingerprints.
This whole FUD about Adhaar is really sad to see. It's a useful service and we desperately need a national ID. Until now different things require different IDs. Voting card, ration card, PAN card, Passport, Driving license, and so on. With Adhaar we finally have the chance to move to one unique ID for every citizen. Of course like everything done by government, there are inefficiencies and bureaucracy, but it's markedly less than what we face in other IDs.
I’m sorry you can’t see the privacy implications of Aadhaar. If it’s easy to track every single place you go and every rupee you spend, it affects you in a few ways
Citizens start self censoring themselves. They subconsciously stop engaging in activities that are legal but might be traced back to them. I’ve personally done many things that I’d rather people didn’t know about. I might have dabbled in substances, for example. Maybe I might not have done that if I had known that the eye of Big Brother was watching.
You say elsewhere you’re confident that whatever the abuses of the government, we’d be able to vote them out. With the tracking ability they’ll have in a couple of years, that might no longer be possible. Who would show up to a protest if they knew the govt would be able to track them there?
Ultimately it comes down to this - Indians enjoy a lot of privacy and anonymity because they’re one amongst 1.3 billion people. Paradoxically they don’t value this much at all. Given a chance they’d gladly trade privacy for wealth. It’s not my place to say if that’s a good trade or if they should make it, but you don’t really know what you got till it’s gone.
I'm sorry you think so. I agree that I could have made my case better, and normally I'd take a stab at it now that I have a full keyboard in front of me. But your ad hominem attack makes it not worth my time.
They're not just asking for the number - they're asking for a scan of the entire card including all other details such as gender, age, and address.
What was this desperate need you talk of? Its original vision was to plug leakages and pilferage in governmental social welfare and subsidy programmes, and not as a mandatory national unique ID. It was targeted at only people who wanted to participate in those welfare and subsidy programmes, and not for every citizen.
It hasn't replaced any of the other IDs - we needed n cards earlier, we still need those n cards. If a person didn't have any intention to travel outside India, there was no mandate to go get a passport. If a person didn't want subsidized rations, there was no mandate to get a ration card. But now we need this additional n+1 card and as much additional effort to link all the others to this card. How can the effort be markedly less when it requires every citizen to get their cards linked to everything else under duress of having some service cut, but with limited service centres and their employees very aware of the opportunities to extort money from desperate people?
> They're not just asking for the number - they're asking for a scan of the entire card including all other details such as gender, age, and address.
Name, UID, gender, age, address these are not biometric info. In fact they are part of your ID.
> What was this desperate need you talk of?
I explained it in my comment.
> Its original vision was to plug leakages and pilferage in governmental social welfare and subsidy programmes, and not as a mandatory national unique ID. It was targeted at only people who wanted to participate in those welfare and subsidy programmes, and not for every citizen.
Vision and purpose can change. Nothing to worry about. Originally the purpose of cellphones was to talk and text. Now you watch Netflix on it.
> It hasn't replaced any of the other IDs
It will. Eventually there will be no need to link it to other cards because UID will be enough for everything.
I don't think it's FUD. I have a few questions. Can we confidently say that the database won't ever be hacked in the future? Are we prepared to face such situation? Would the government let you know if the database ever got hacked? What guarantees do we have that the politicians won't use it for their advantage?
To provide a bit of reality check in relation to your answers:
1. This Govt. has, in a recent affidavit to the Supreme Court, claimed the Aadhaar database has never been hacked.
2. Other government agencies — including state governments and the National Informatics Centre have made Aadhaar details and data public, or accessible publicly.
In the case of the National Informatics Centre, supposed to be "the premier science & technology organisation of Government of India in informatics services and information and communication technology (ICT) applications" and is "a part of the Indian Ministry of Electronics and Information Technology's Department of Electronics & Information Technology", an API proxy to the Aadhaar eKYC service was made available on the public internet:
i. With an HTTP, not HTTPS, endpoint;
ii. With a single auth-token, used for all calls to this API proxy, embedded in an Android app the NIC put out;
iii. That was abused publicly by someone for their Android app providing access to "demographic data like name, address, phone number of individuals" without any authorization required.
3. There are no existing data privacy laws. There are no laws to punish, or even state what can be done, in situations of data breach.
4. The Govt. is just now in the beginning stages of forming data protection laws.
> 1. This Govt. has, in a recent affidavit to the Supreme Court, claimed the Aadhaar database has never been hacked.
> 2. Other government agencies — including state governments and the National Informatics Centre have made Aadhaar details and data public, or accessible publicly.
So that means the government has been truthful? As soon as they start lying we'll have the recourse of suing. Don't worry.
Ineptness of government agencies is there in everything. Trains run late and the bathrooms smell. Doesn't mean we need to shut it all down. We carry on and try our best to improve things. Laws will slowly but surely catch up. Enforcement will catch up. This is the only way we can progress.
I made no such assessments; I only laid out the facts as I found them. If you ask me for such an opinion, I'd call it technically correct and disingenuous; like claiming the left hand didn't steal what the right hand did, when the person themself is suspected of thievery.
> Laws will slowly but surely catch up. Enforcement will catch up.
Sure. But the mad rush to get everyone on the system by force should come strictly after these.
> Doesn't mean we need to shut it all down.
I did not call for anything in the slightest to this effect. I was merely laying out the facts.
Trust is the whole problem. Many like you trust this government (why is something I can't understand, other than their effective propaganda, but let's leave it at that). But there are many who don't. It's not just about privacy, it's also about things like fear, religious profiling, autocratic tendencies, curbing of freedoms. It's also not about just the current government, but of governments to come. A non-mandatory aadhar would give those who don't trust the system
a choice to remain out of its programmes and perhaps voluntarily pay higher costs or forego any benefits. But this government has not given any such choice. It's deeply discomforting to be forced to give all this information to an entity one doesn't trust.
Treating the Aadhar authority as a partisan object is to make a mistake.
It was conceived by the Congress, and as an agency, it is designed to survive all normal parties which come to power.
It is more an arm of the Government of India, its bureaucracy and underlying machinery - than a political function of whoever is the ruling party at the time.
To discuss of it in terms of parties, is to pretty much fall into one of its defensive design patterns - because this agency is designed to appeal to any party in power.
A significant amount of design and political thought has gone into this agency, and in the way it has strategically expanded its remit and powers.
In short - UIDAI was designed from to avoid the political pitfalls of modern India and exist forever.
Its only real weakness is scrutiny of its results and methods, and its eventual necessity to handle actual crisis.
Do note, that this has already been planned for, because the Agency is designed to push responsibility away from itself, - instead it gives people the ability to use their APIs and take the responsibility on themselves.
Please do not make the mistake of conflating the ruling party with the machinery of the Government of India.
Aadhar is a child of the GoI. It has enjoyed support by both parties, and was the brainchild of the previous Majority member in the coalition.
I assure you, that any and all hopes vis-a-vis aadhar, placed on the ruling party are in vain.
This is exactly the kind of scenario that Americans would be afraid of - a shadowy government organization, which runs constantly, despite any person or party who is in or is not in, power.
That is what the Aadhar authority is, and always has been.
They have a product they can offer all successive governments, which will ensure its continued survival.
The party in power is irrelevant.
I know how partisan political discussions get, which is why I am highlighting this point. IT doesn't matter who is in power.
A ID number to buy stuff? I remember hearing about that somewhere. I think it was an old book? Someone should tell China, their life gamification score could benefit... ID theft and all.
This whole AADHAAR linking business has been a point of contention in India over the last year as the government is slowly mandating linking your AADHAAR number with all kinds of contracts and services, from rental contracts to telecom providers to bank accounts.
If anyone deserves blame for this kerfuffle, it's the government.