Some clarifying info, since the title is kinda clickbait—the AADHAAR card doesn't have any biometric info for it. It just has a number. The biometric info lies with the government who can then authenticate an individual based on it.
This whole AADHAAR linking business has been a point of contention in India over the last year as the government is slowly mandating linking your AADHAAR number with all kinds of contracts and services, from rental contracts to telecom providers to bank accounts.
If anyone deserves blame for this kerfuffle, it's the government.
Aadhaar is interesting to watch, given America's debate over using social security numbers for the same purpose, and how to replace that in the wake of Equifax. It seems like the winds are starting to align for us to have something like Aadhaar, so it's interesting to see Indian reaction to it.
SSN for services is par for the course in the US. My cable company has mine.
Because a lot of services don't work without trust. Credit rating agencies are the Certificate Authorities of the physical world.
To give an example, a company will hand you a $1K smartphone for as little as $20. The only guarantee they have that you'll pay the remainder is that you have a history of doing so, they gather this history from credit ratings agencies.
In order for you to be uniquely identified they need a unique identifier. Even full name + birth location + birthdate may not be unique given enough data-points.
SSNs aren't fit-for-purpose. But the purpose of uniquely identifying an individual is a valid one and likely a hole that will need to be filled one way or another (and there are many good concepts to replace SSNs).
That seems like an unsatisfactory explanation. In Germany, for example, although we have a national ID card with a number, that number is almost never necessary to get a service. They seem to manage without it. The only institutions regularly demanding it are the state itself and banks.
So no, a national ID is not necessary for the purposes of creating trust.
But this doesn't seem responsive to the point. If I pre-pay for my phone and service, why does Verizon still demand my SSN and other data? Why do they even care who I am?
I bought an unlocked Android phone from Target, and use T-Mobile prepaid. They don't have my SSN, and didn't even have my name til I paid for some minutes via the website. (Now I pay by CC every month, but oh well, not real important to me.)
Cable service can certainly work without trust. Most of the services are fixed-price, and you can use your own equipment. There's no reason this can't be prepaid anonymously.
What the cable company usually does genuinely need is a physical location, which isn't very good for someone with hardcore anonymity needs like a criminal or a spy, but fine for those of us concerned with needless data leakage.
Most institutions in the UK demand a passport or driving license.
You need a birth certificate to get a passport [1]
You need a passport to get a driving license [2]
In order to vote you need a national insurance number [3], which is issued to you on your 16th birthday, via your guardian's/parent's electoral registration information.
Ergo a birth certificate is a de-facto national ID (or immigration documents)
And many many don't. It's not a requirement to have a passport or driving license to open a bank account, or to sign up with a credit agency (although many/most lenders will want some ID to actually lend to you).
I don't have a british passport, a british drivers license, but I do have a NI number. I can vote, I can open bank accounts, I can get amazon parcels, I can do normal daily things without them. The only people who have my NI number are 1) the electoral register, 2) my employer, and 3) hmrc (as far as I'm aware at least).
I've not shared it with Amazon (who are the company mentioned in the post), or with my utility provider, or with my broadband provider. I've also not given them my passport or drivers licence, and yet they all seem perfectly capable of verifying I am who I say I am, all without me having any form of national ID.
I 90% agree, with the 10% exception that most cable companies admit you to the Internet, so under current legal frameworks for handling stuff that genuinely shouldn't be on the Internet, a case can be made that they need to know who you are. Not saying that's right, saying it's probably best at the moment. Granted, they also have a service address, and the clever ones can proxy up, but...
You state yourself that the ISP also has the service address, and it's also clear that everybody in the house is using the internet connection, not just the person who is paying the bill.
So identifying the customer provides the ISP with neither the identity of the person using the internet connection, nor any more information (than the service address) about how to locate the person using the internet connection.
So, even if you believe it is right and proper that ISPs are deputised to track down internet users on behalf of the government: why is it advantageous that they identify their customers?
Um, if someone drops a bunch of child pornography from your Comcast account, very upset people in suits are going to talk to (and very likely arrest) the accountholder, which is you, first. An accountholder is responsible for what takes place using the service, just as if you were to hand your phone to someone and they call in a bomb threat, or you lend your friend your car and they go rob a bank with it. They're going to talk to you first, and your house doesn't matter. That's not "deputization." That's accountability for actions utilizing a service that is able to touch other people. That identity is not revealed until an alleged crime meets the minimum bar to subpoena the provider. Nobody is asking Comcast to go looking for you.
I'm not sure what logical point you're trying to make. They've identified the user of the Internet connection; the user is the accountholder. The strong identification of that accountholder follows them if they disappear, which is useful for both receivables and security/LEO. That's the advantage.
Most people using cable also are using rented equipment, you would have to buy your own cable box, dvr, and modem if you want to go completely pre-pay.
> you would have to buy your own cable box, dvr, and modem if you want to go completely pre-pay.
Which I consider - independently from this discussion - as a very good idea. Indeed: In Germany when getting a Digital Subscriber Line most providers will also give you the option to rent the router or modem. But nearly all subscribers know that increasing running expenses this way is nearly always a bad idea, so they know that one should better buy some decent router/modem that one owns.
If you pay for the service after consuming it, you are by definition using a line of credit.
For cable you'd have to load a prepaid balance into your account, from which the the cable provider could debit by usage. As soon as the balance hits 0, service is shut down.
With verizon FiOS I am billed at the beginning of the month and yet I still had to hand over my SSN. Who else am I going to go to, Comcast? I paid for the first month's service when I signed up and I pay for each month before the beginning of the month. For example, I paid for 11/02 to 12/01 on or before the due date which was 10/27. In other words, I paid for the month of November before November began. I have no Verizon equipment. The ont was already here when I moved here. I bought my own modem/router. I can provide proof if you don't believe me.
The poor can borrow money from source (yes, divulging their identity to that one source, and paying interest) and buy products in cash from all their vendors.
Lending to the poor not only barely happens, it’s a market overrun with predatory lenders. I remember an ad that used to run on late night TV that buried something like 150% APR in the fine print, attempting to avoid US regulation by nature of being operated on a Native American reservation.
Who took them down, you ask? That oh so useless CFPB.
Edit: Here they are. Look at the image of this woman’s loan:
He didn't say that the rich automatically get privacy and the poor don't. He said that the rich can afford privacy. The poor cannot afford it even if they desire it.
I've long since resigned myself to the fact that getting privacy is a struggle and costs money, and most people won't bother.
It’s not exactly the same. Authentication with SSN is simple - SSN + date of birth/name/mother’s maiden name. All of these are immutable so you’d better hope that any firm that collects this information is careful with it. With Aadhaar, authentication is marginally better - either with biometrics (fingerprint or retinal scan) or with an SMS OTP. Identity fraud is still possible but it isn’t scalable, thankfully.
There is still a concern though. If every service that you consume uses Aadhaar as a primary key, it becomes trivial to track the movements and activities of every citizen. I’m certain that for a fee to a shady person you’d get a dossier of places a person has been, where they’ve stayed, who they’ve spoken to, what they’ve spent money on. That’s not theoretical - you can get this info on a Chinese citizen today for less than $100 if you know whom to talk to.
Because you'd have to clone SIM cards / otherwise gain access to someone's text messages instead of just using a bulk list of "secret question" answers.
All tied to the Infineon TPM being broken and apparently nobody bothering to audit it before -- I don't know -- buying cards with it for your whole country?
And to think that people still believe in the secure online voting utopia. As long we will rely on humans to write the code, verify, and patch the online/electronic voting systems, they'll never be secure. So you might as well get them off your mind.
> and how to replace that in the wake of Equifax. It seems like the winds are starting to align for us to have something like Aadhaar
That was the point of the Equifax hack. To push biometrics. They have been itching for the mark since way back. It's getting close.
Did you ever get the felling you're being followed?
Are you not familiar with the Revelations of St.John
The final book of the Bible, prophesied the apocalypse
He forced everyone to receive a mark on his right hand
Or on his forehead so that no one shall be able
To buy or sell unless he has that mark
Which is the name of the beast and the number of his name
And the number of the beast is '6 6 6'
What can such a specific prophecy mean?
What is the mark?
Any private entity demanding Aadhaar from its users/customers is putting them at risk. So no, some blame goes to companies that have started demanding it.
How does this work exactly, I didn't entirely follow by just reading the article. Does Amazon verify the ID with the government directly?
If so, then that basically means the government knows who you are shopping with. That's all sorts of overreach. Unless it's for tax purposes, I don't see why the government needs to know who you choose to buy from. What if someone buys from a controversial source - does the Indian government really need to know what sort of porn companies someone purchases from?
And if it's just an ID, then how does Amazon know that someone hasn't stolen the ID and just provided it for identity fraud? Or do you also have to provide some sort of biometric verifier also? Either case sounds pretty fraught with difficulty.
In Australia, everyone has a Tax File Number. It's not that well known, but retailers who ask for the TFN are breaking the law and will be fined a huge amount of money.
I _think_ what's going on is that they asked for the Aadhaar card as a "Photo ID". If you read the chat, the AMZN link that the rep points to asks for a place to upload a Photo ID. The Aadhaar card does function as a Photo ID as it has your picture and name on it. So it's similar to being asked to upload your Driver's License as a photo ID. It's possible that Amazon India has a policy of asking for Photo ID for investigating any complaints about big purchases because of fraud (I could just claim that I didn't get the phone). Since this user bought a Samsung Galaxy J7 Prime, it was probably greater than the threshold where the photo ID requirement was mandated. It's also possible that this user account was flagged as a suspicious user.
Either way, the whole biometric scare in this case is nonsense.
That's an interesting observation, and it's possible to see how different cultures deal with anonymity. For a Brazilian, giving out a personal ID for (almost) anybody is a matter of fact.
In Brazil we have a tax number (CPF) and one or more personal ID numbers (state police RG, federal drivers license, passport, etc) which are roughly on the same level regarding personal identification, but which don't matter for tax purposes.
It is mandatory to give your CPF to merchants when they have to invoice the customer, as you (or your CPF) will be one of the parties in that commercial contract. In the case the customer is present in a retail transaction, the retailer can just give you an anonymous receipt. In some states, the customer can give their CPF in order to get some tax refunds.
In either case, an electronic copy of the invoice is sent to the government to account for the taxes, and the invoice must detail exactly what was traded between merchant and customer.
Besides all that, usually you have to identify yourself with both CPF and a personal ID, perhaps leaving a photocopy of both documents, as the CPF number just says you are a taxable personal entity, but it doesn't positively identify a person, as the tax authorities doesn't store any biometric information. The polices (state and federal), on the other hand, have photos, signatures and fingerprints.
Why would a retailer ask for it? I don't think I've been asked for my NI number (the UK equivalent) by anyone except people dealing with my tax (including banks) or by the government directly when registering for services.
Its I believe highly illegal when I worked for BT in the UK misuse of NI numbers was a very serious gross misconduct offence - we go read the riot act over this it was almost as bad as corruptly looking up data on individuals info - say the queens private number ;-)
Amazon can verify this identity using a Govt provided API. The verification can be performed with or without holder's knowledge.
There are multiple issues with this identity. The Govt is using private players to enrol the residents into this platform. There were multiple instances where people paid bribe to get multiple IDs in different name. And, the enrolment agencies with MoU with Govt can keep the data of residents, including biometric data. There is even a search facility available with around 1500 users who can search any details about 1bn+ people.
Above all, if your ID is misused, you can't approach courts. You can lodge a complaint with Govt call center. Only Govt, after investigation, can approach a court on your behalf. Other option is to approach a constitutional court directly, which is expensive.
The Supreme Court is supposed to take up this issue sometime in the near future.
TFNs are weird. You legally don't have to give them to anybody. I have a TFN declaration form sitting in front of me here at work, and it says specifically "It's not an offence not to quote your TFN".
You can just not give your employer your TFN, and they'll withhold your tax at the maximum rate, and you can get a bunch of money back after your tax return. Your TFN is just a way for the ATO to figure out how much tax to withhold so your tax return is more correct.
Anyway, Australia and New Zealand are interesting, in that there is no single number that maps to a person. You can use your drivers licence number, or your passport number, or your TFN/IRD number, depending on the situation.
When they introduced photo drivers licences in New Zealand, there was concern in them turning into a de facto national ID card.
There are however, legal restrictions around who can collect a TFN and what it can be used for.
Section 8 of the Privacy (Tax File Number) Rule 2015:
TFN recipients must only request or collect TFN information from individuals and other TFN recipients for a purpose authorised by taxation law, personal assistance law or superannuation law.
(2) When requesting an individual’s TFN, TFN recipients must take reasonable steps to ensure that:
(a) individuals are informed:
(i) of the taxation law, personal assistance law or superannuation law which authorises the TFN recipient to request or collect the TFN
(ii) of the purpose(s) for which the TFN is requested or collected
(iii) that declining to quote a TFN is not an offence
(iv) about the consequences of declining to quote a TFN
(b) the manner of collection does not unreasonably intrude on the individual’s affairs, and
(c) the TFN recipient only requests or collects information that is necessary and relevant to the purpose of collection under applicable taxation law, personal assistance law or superannuation law.
huh? what does goverment mandates to link aadhar to bank accounts have to do with an Amazon policy to insist on it to track lost packages?! (the government policy is being challenged in the Supreme Court, fwiw)
There are two aspects to this. Aadhaar is a photo ID and hence can be used as photo ID by anyone wanting (or mandated) to do so. That includes companies like Amazon.
So 'Amazon asked my biometric data' is just complete bullshit. It didn't.
On the other hand, it's the government that has normalized the association of Aadhaar to every aspect of your life. The fact that it's been contested in the SC does not change that. It's in that sense that I am giving them blame.
This whole AADHAAR linking business has been a point of contention in India over the last year as the government is slowly mandating linking your AADHAAR number with all kinds of contracts and services, from rental contracts to telecom providers to bank accounts.
If anyone deserves blame for this kerfuffle, it's the government.