• stumble
  • youtube
  • linkedin

Archives for : Technology

High Court upset with govt order on #Aadhaar link with biometric attendance

HC upset with govt order on Aadhar link with biometric attendance

Srinagar: Hearing a contempt petition, the J&K High Court on Friday directed the state Chief Secretary to file response on why an order has been issued directing employees to link their Aadhar cards with biometric attendance, when the court in an order dated September 11, 2017, had directed that Aadhar cards should not be linked with biometric attendance.

The court issued notice to Chief Secretary BVR Subrahmanyam after a contempt petition in the case titled Syed Musaib versus Chief Secretary to J&K Govt was moved before the court today.


The petitioner, Syed Musaib, submitted before the court that the main objective of UIDAI (Unique Identification Authority of India) was to collect biometric and demographic data of residents, store them in a centralised database, and issue a 12-digit unique identity number called Aadhar.
He further submitted that a December 2011 parliamentary standing committee on finance led by Yashwant Sinha had rejected the National Identification Authority of India Bill, 2010, terming the project as “unethical and violative of Parliament’s prerogatives.”

The petitioner submitted that in 2013, a PIL filed by a former army officer had led the Supreme Court to direct the Government of India to clear its stance on the Aadhar project and had directed the government to widely publicise in print and electronic media that Aadhar was not mandatory for any welfare scheme.
A five-judge Constitutional bench of the Supreme Court had also reiterated on the point of “right to privacy” that Aadhar was a purely voluntary scheme and could not be made mandatory till the matter was finally decided by the court, the petitioner submitted.


He further stated that in 2016, when the J&K government issued an order to government employees, pensioners and beneficiaries of government schemes to get themselves compulsorily enrolled in Aadhar to be able to draw their entitlements, the court overturned the order. Subsequently, another government order was passed making Aadhar card necessary for biometric attendance but it was overturned again by the High Court in an order dated September 11, 2017, in which the court directed that biometric system can be installed in government offices but it should not be linked to Aadhar.


The petitioner submitted before the court that despite clear directions, officials had again issued an order directing employees to link their Aadhar cards with the biometric attendance system, thus being guilty of contempt of court.

Related posts

Edward Snowden expresses concern over Aadhaar system

Edward Snowden

 Edward Snowden during the video conference on Saturday.

From an undisclosed location, Edward Snowden came live amid gathering at media fest in Jaipur on Saturday. The US intelligence contractor turned whistleblower and freedom of press activist discussed on concern related to citizen monitoring programs of world governments, including Aadhaar of India.

“If the Aadhaar system has to work, there should be criminal penalties on agencies for disclosing personal details. There is seriously something wrong with this system,” said Snowden.

He has been crusading against the citizen monitoring activities of the US government and the same dangers are hunting him down. His session on “Being a Whistleblower” narrated more that he spoke. The organisers were unsure of his appearance till the last hour and when he did came online, it was just a white background from anonymous ‘safehouse’.

Despite the hardships, he seems to be in comfort with the situation. “I used to work for the government and now I work for the public,” he said. Snowden said that while the terrorists remain technologically updated, such government monitoring is often used for citizens. He had the audience deliberating on the public government relation. “When governments fear from the public, its liberty,” he said.

Unfortunately, it’s people who fear governments in most cases and thus there remains need for a more collective effort towards a better tomorrow. As for him, the trend of ‘world turning in Chinese market’ was a greater concern than being haunted by his own government.


Related posts

Reductionism in the digital universe #BookReview

Title:New Dark Age: Technology and the End of the FutureAuthor:James Bridle

Title:New Dark Age: Technology and the End of the FutureAuthor:James BridlePublisher:VersoPrice:$26.95

James Bridle on how complex technology darkens our life and culture, and the urgent need to shed digital fatalism

In 2016, when Nintendo’s Pokemon GO created a frenzy across the world, fans of the augmented reality (AR) game were up for a surprise in Russia. While playing the game — which basically means tracking down hidden Pokemons in real time and in real locations using AR technology on their smartphones — near Kremlin, many users found some functonality glitches on their devices,The Moscow Times reported. They found their GPS function compromised.

For starters, Pokemon GO uses Global Positioning System (GPS) to direct users to various locations where the funny comic characters would appear. Near Kremlin, many users found a mismatch between where the Pokemons appeared and the location marked on their devices. Technically, such a thing should not happen because GPS signals could not be tampered with. Or that was they, like many of us, had thought until then. And they were wrong.

Cyber security experts say what the gamers experienced in Kremlin was a process called GPS spoofing, giving enough evidence that Russian agencies were tampering with GPS by faking the signals. So, anyone would want to find a way to Kremlin using GPS would be virtually ‘relocated’ to Vnukovo Airport, which was 32 km away from the city centre. Many experts think this was done for defence purposes, to redirect incoming weapons targeting Kremlin using GPS. Instances such as GPS spoofing, where an advanced technology people believe is foolproof can be doctored and faked, reveal the “blind spots, structural dangers and engineered weaknesses” of computation in contemporary life, warns James Bridle in New Dark Age: Technology and the End of the Future, a brilliant, unparalleled work on the perils of modern technologies and how they obfuscate social realities.

A complex web

Bridle believes technology has made human life extremely complex today by creating layers and layers of processes and systems where humans are condemned to cohabit machine intelligence in ways they cannot comprehend.

As a result, we don’t necessarily realise where we need technology’s assistance and where we don’t. Even that ability is controlled by the systems and processes of technologies we use. “Our social lives are mediated through connectivity and algorithmic revision,” writes Bridle. He explains how the entire world “becomes a code/space” as smartphones becomes powerful personal computers and computation disappears into every device around us, from fridges to cars to fitness bands.

What happens then? This “ubiquity underscores our failure to understand” how computation impacts the “very ways in we think”. Bridle gives the example Wikipedia, which is a beacon among open internet projects. Currently, Wikipedia relies on an army of software agents – bots – to enforce and maintain correct formatting, build connections between articles, and moderate conflicts and incidences of vandalism. At the last survey, bots counted for 17 of the top 20 most prolific editors and collectively make about 16 per cent of all edits to Wikipedia. That’s a “concrete and measurable contribution to knowledge production by code itself,” notes Bridle.

What exactly is the danger here? Clearly, algorithms, which bear within themselves all the ugly biases and prejudices of their creators, are slowly and gradually interfering in our cultural spaces by contributing faster and in many cases better.

At the outset, there may not be a problem and we are free to think such technologies (bots here) are just augmenting our lives. Bridle disagrees: “Computation does not merely augment, frame, and shape culture; by operating beneath our everyday, casual awareness of it, it actually becomes culture.” In a way, software gibberish replaces healthy sociocultural discourses. This can have ramifications in spheres such as public policy, art, journalism, healthcare, sports, welfare distribution and such.

Why do such things happen? This happens largely because of a purely functional understanding of technology. Bridle explains, enchantingly, the dangerous fallout of it, which he calls “computational thinking”, which is the belief that any problem can be solved by the application of computation. “Whatever the practical or social problem we face, there is an app for it,” Bridle mocks. This is some kind of a “solutionism”, which essentially means technology can find a fix to problems. As Evgeny Morozov explains in his witty, insightful 2013 work To Save Everything Click Here: The Folly of Technological Solutionism, this approach is inherently faulty because it underestimates and masks that fact that our imperfections make us human.

Bridle agrees. He says computational thinking forces its apostles (businessmen, policymakers and such) to think that it is impossible to think or articulate the world in terms that are not computable. Soon, the thought reverses in an obscene fashion.

They think that to be solved, all problems should be computable. That which is not computable or not digitally mappable or measurable or code-able is runs the risk of losing a solution or even falling out of the radar of governance, business and culture.

Digital fatalism

Bridle warns that computational thinking is predominant in the world today, driving the worst trends in our societies and interactions, and must be opposed by a “real systemic literacy”. Technology cannot be left to the whims and fancies of those who keep it complex. It should be democratised. Systemic literacy is the thinking that deals with a world that is not computable, Bridle explains, while admitting that it is “irrevocably shaped and informed by computation”.

But that’s not an easy job, in a world where data companies control pretty much everything an individual does and force their users to ignore their fallibilities and become what this reviewer would call digital fatalists, where they become extremely submissive before their digital service providers and accept their propaganda and conclude that everything that happens is inevitable (in a way predetermined by a Super Code) and we have to reprogramme our lives to get them in synch with the digital realities.

This is not some soft-coded paranoia. This is a reality we face every day. When governments ask us to have digitally traceable (and controllable) unique identities and then make such computable citizenship or identity documents mandatory for availing services that do not necessarily require such strict screening by any measure, and when we succumb to such demands without a whimper. We even praise such efforts without really understanding the complexity of such systems or their hidden abilities to be manipulated, we become submissive subjects of computational thinking.

Bridle asks us to stand up and say our existence is be understandable only through computation. We are more than the data we are. Technologies need to be audited (Morozov has argued for algorithmic auditors) and updated to reflect human values such as justice, ethics and inclusiveness. Equally important is to know that systems are fallible and in a world where even the GPS can be faked and choreographed, overreliance on technologies can be dangerous.

Bridle’s work is a great handbook for those who want to probe more on this. He speaks with the calmness of a prophet and the alertness and passion of an evangelist.

Related posts

These digital IDs have cost people their privacy — and their lives #Aadhaar

A man’s retina is scanned as he enrolls in Aadhaar, India’s national identification system, in Kolkata, India. (Bikas Das/AP)
August 9 at 1:45 PM

Reetika Khera is a development economist.

AHMEDABAD, India — Until recently, India’s national identification system, Aadhaar, was heralded both nationally and internationally as a game changer. Headlines in India routinely described it as such. And in a 2011 profile of its founder, Nandan Nilekani, The New Yorker detailed his mission to use the technology — which involves biometric data and the provision of a unique 12-digit number — to fix corruption and “bring about a change in the relationship between the state and the poor.”

But as my colleagues and I discovered, much of Aadhaar’s branding as a transformational solution to India’s welfare problems relied on incorrect data. Gradually, beginning in 2016, even those who helped build consensus for the project among India’s elite reportedly began to recognize its dangers. Today, India is embroiled in “Aadhaargate,” as it has become clear that Aadhaar constitutes one of the most brazen breaches of the right to privacy and the right to live initiated by the government of a democratic country.

In our increasingly digitized lives, sensitive personal information is available in various data silos: travel, banking, insurance, health records, education, social security, mobile phones and so on. Data mining businesses use this information to profile us and facilitate targeted advertising, for example. But an important safeguard of our privacy is that each of these data silos remains unconnected. This prevents companies from seeing an individual’s complete profile.

In India, both the government and businesses are pushing people to submit their unique number for nearly every aspect of their lives — to receive welfare benefits such as pension payments, to file taxes and register marriages, as well as to access mobile phone services and bank accounts. This turns Aadhaar into a dangerous bridge between these previously isolated silos. With each new data silo that gets linked, an important protection against 360-degree profiling gets weakened, leaving Indians vulnerable to data mining and identity theft.

In fact, there have been over one hundred reported incidents of Aadhaar-related fraud already. Forged Aadhaar cards were allegedly used to open bank accounts and take out loans. In some cases, Aadhaar-linked mobile payment apps were used to steal money. Aadhaar has become a textbook case of the damage that can be done when bad technology falls into the wrong hands.

In 2012, Indians began approaching the courts to protect their privacy rights. During the final hearings in early 2018, India’s Supreme Court granted temporary reprieve from the compulsory linking of Aadhaar for basic services. But the government appears to be implementing the directive only half-heartedly. Both the state and businesses alike continue to push residents to submit Aadhaar numbers for many services. And because Aadhaar numbers are required for obtaining life-sustaining welfare, poorer residents have no choice but to hand over their Aadhaar numbers to the state.

Aadhaar not only violates Indians’ fundamental right to privacy, it also violates their right to live. Since the system breaks down the various data silos and funnels the biometric and demographic data of over a billion people into one centralized database, this bulky mechanism creates numerous opportunities for error — some of them deadly. Over the past year or so, at least 15 deaths were reported after people were denied basic resources when their identities could not be verified due to Aadhaar system errors. Seven occurred because people were denied subsidized grain (a legal entitlement under the National Food Security Act of 2013) on account of Aadhaar-related glitches.

Last October, a man reportedly died of starvation in Jharkhand because thumbprint authentication failed for family members who went to purchase subsidized rations. In the previous month, Santoshi Kumari, an 11-year-old girl, also starved to death because her family’s ration card was canceled when they missed the deadline for linking their ration cards with their Aadhaar numbers. And in December, a woman and an 11-month-old infant were refused treatment at hospitals due to lack of an Aadhaar card and subsequently died.

Indians gather at an assembly in New Delhi to discuss how authentication problems with the  biometric ID system are preventing them from getting food rations. March 15, 2018. (Vidhi Doshi/The Washington Post)

Technical glitches in integrating Aadhaar with India’s banking system is also wreaking havoc with welfare payments to its most vulnerable citizens. Aadhaar servers return error codes that few people are able to decipher, let alone fix. Wage payments from a national rural employment guarantee scheme are often delayed or go “missing.” The list goes on.

India’s inefficient, unsecured centralized data system offers a cautionary tale for the rest of the world. Electronic records for citizens can, in theory, improve public services and reduce administrative costs. But centralized electronic records do so at the cost of its citizens’ basic rights.

Smart cards are a better alternative. Smart cards contain a microchip that securely stores needed information about a person without requiring biometrics. Rather, the card is inserted into a reader, which accesses the information stored on the microchip but does not transfer the files off the card and does not require the Internet. It can thus avoid, on several levels, the many failures of Aadhaar authentication.

The Aadhaar project, even before its ambitions have been fully realized, has caused deaths, data breaches, banking fraud and hardship. A project that is increasingly violating Indians’ right to life and privacy must be dismantled.

Related posts

Inside the secret world of Facebook groups offering fake #Aadhaar cards

“Fake Aadhaar available…Ib [Inbox] for deal,” reads one of the posts on a Facebook group “Help for Friends – Advertising Deals” or as its over 7,000 members call it “HFF”.

HFF is a secret group and does not come up on Facebook search results. You need an invitation to join it. 

The group is a close-knit circuit of individuals buying and selling all sorts of things. However, amidst deals violating Facebook’s terms and conditions, we stumbled upon an issue even more grave – people offering to manufacture Aadhaar cards.

In the screenshot below, one of the members can be seen asking others to “inbox” him if they want Aadhaar cards. He claims that the ID proof will be “1001% working”. He also makes a post offering “fake Aadhaar cards for Facebook verification”.

Another member claims that he has at his disposal “many” PDF files of Aadhaar cards. He wishes to know at what price he will be able to sell them. One of the members advertises his stock of 100 Aadhaar cards as “loot loot loot”, selling them for Rs 150 each.

There are also offerings of PAN cards in the group.

The collage below captures several others offering fake Aadhaar cards.

However, this bargain is not one-sided as supply is only created by demand. In the screenshot below, members can be seen willing to purchase fake Aadhaar cards as long as they “look real”.

One of the members also asked for Aadhaar data, which he claimed was “available a few days back.” He wrote, “I am willing to pay good money to anyone who has it.”

There was another Aadhaar related demand that came to our notice – editing. In the screenshot below, one of the members is looking for someone who can edit his date of birth in his Aadhaar card. “Bas real lagna chahiye,” he writes.

We discovered a substantial demand for Aadhaar related editing work for various purposes.

Recently, Alt News published another story about a closed Facebook group that goes by the name “Sharing is Caring – Advertising Deals”. Our detailed report disclosed the inner workings of its 18,000 odd members who regularly buy/sell Facebook pages, Instagram accounts and more.

Help for Friends is more close-knit than Sharing is Caring (SIC) but has a lot of the same members as SIC. Just like in SIC, deals on Facebook pages dedicated to politics, army, girls, actresses and cricket and more are made on HFF too.

Fake Aadhaar card deals on Sharing is Caring

Deals on Fake Aadhar cards are not limited to HFF. We stumbled upon deals related to Aadhaar in the ‘Sharing is Caring’ group as well. The screenshots below are from SIC. If you look closely, some of these names appear in the screenshots of HFF posted earlier in the article.

However, post Alt New’s story, admins of Sharing is Caring seem to have become more vigilant about what sells in the group. One of them posted “new rules as per the need of time”, which now penalise (temporarily ban) members making deals on Aadhaar cards or any government ID proof and fake government offer websites, among others.

There is a reason why groups like SIC and HFF keep their status as closed or secret as the members are well aware that their dealings are often illegal. As this issue comes to light, it becomes pertinent that necessary actions are taken against these groups.

Inside the secret world of Facebook groups offering fake Aadhaar cards

Related posts

The National Health Stack: An Expensive, Temporary Placebo


The year 2002 saw the introduction of a very ambitious National Program for Information Technology in the United Kingdom with the goal to transform the National Health Service — a pre-existing state-sponsored universal healthcare program. This would include a centralised, digital healthcare record for patients and secure access for 30,000 professionals across 300 hospitals. However, the next ten years would see the scheme meet with constant criticism about its poor management and immense expenditure; and after a gruelling battle for survival, including spending £20 billion and having top experts on board, the NPfIT finally met its end in 2011.

Fast forward eight years — the Indian government’s public policy think tank, NITI Aayog, is proposing an eerily similar idea for the much less developed, and much more populated Indian healthcare sector. On July 6, the NITI Aayog released a consultation paper to discuss “a digital infrastructure built with a deep understanding of the incentive structures prevalent in the Indian healthcare ecosystem”, called the National Health Stack. The paper identifies four challenges that previous government-run healthcare programs ran into and that the current system hopes to solve. These include:

  • low enrollment of entitled beneficiaries of health insurance,
  • low participation by service providers of health insurance,
  • poor fraud detection,
  • lack of reliable and timely data and analytics.

The current article takes a preliminary look at the goals of the NHS and where it falls behind. Subsequent articles will break down the proposed scheme with regard to safety, privacy and data security concerns, the feasibility of data analytics and fraud detection, and finally, the role of private players within the entire structure.

The primary aim of any digital health infrastructure should be to compliment an existing, efficient healthcare delivery system.

As seen in the U.K., even a very well-functioning healthcare system doesn’t necessarily mean the digitisation efforts will bear fruit.

The NHS is meant to be designed for and beyond the Ayushman Bharat Yojana — the government’s two-pronged healthcare regime that was introduced on Feb. 1. Unfortunately, though, India’s healthcare regime has long been in the need of severe repair, and even if the Ayushman Bharat Yojana works optimally, there are no indications to show that this will miraculously change by their stated target of 2022. Indeed, experts predict it would take at least a ten-year period to successfully implement universal health coverage. A 2013 report by EY-FICCI stated that we must consider a ten-year time frame as well as allocating 3.5-4.7 percent of the GDP to health expenditure to achieve universal health coverage.

However, as per the current statistics, the centre’s allocation for health in the 2017-18 budget is Rs 47,353 crore, which is 1.15 percent of India’s GDP.
Patients wait for treatment in the corridor of the Acharya Tulsi Regional Cancer Treatment & Research Institute in Bikaner, Rajasthan, India. (Photographer: Prashanth Vishwanathan/Bloomberg)
Patients wait for treatment in the corridor of the Acharya Tulsi Regional Cancer Treatment & Research Institute in Bikaner, Rajasthan, India. (Photographer: Prashanth Vishwanathan/Bloomberg)

Also Read: India To Spend Rs 16,717 Crore On Modi’s Health Insurance Plan In Two Years

Along with the state costs, India’s current expenditure in the health sector comes to a meagre 1.4 percent of the total GDP, far short of what the target should be. Yet, the government aims to attain universal health coverage by 2022.

In the first of its two-pronged strategy, the Ayushman Bharat Yojana aims to establish 1.5 lakh ‘Health and Wellness Centres’ across the country by 2022, which would provide primary healthcare services free of cost.

However, the total fund allocated for ’setting up’ these centres is only Rs 1,200 crore, which comes down to a meagre Rs 80,000 per centre.

It is unclear whether the government plans to establish new sub-centres, or improve the existing ones. Either way, a pittance of Rs 80,000 is grossly insufficient. As per reports, among the 1,56,231 current health centres, only 17,204 (11 percent) have met Indian Public Health Standards as of March 31, 2017. Shockingly, basic amenities like water and electricity are scarce, if not, absent in a substantial number of these centres.

At least 6,000 centres do not have a female health worker, and at least 1,00,000 centres do not have a male health worker.
A woman holds a child in the post-delivery ward of the district hospital in Jind, Haryana, India. (Photographer: Prashanth Vishwanathan/Bloomberg)
A woman holds a child in the post-delivery ward of the district hospital in Jind, Haryana, India. (Photographer: Prashanth Vishwanathan/Bloomberg)

Also Read: Why Health Workers, Paid Rs 4,000 Per Month, Are Vital To India’s National Nutrition Mission 

Even taking the generous assumption that the existing 17,204 centres are in top condition, the future of the rest of these health and wellness centres continues to be bleak.

In truth, both limbs of the Ayushman Bharat strategy remain oblivious to the reality of the situation. The goals do not take into account the existing problems within access to healthcare, nor the relevant economic and social indicators that depict a contrasting reality.

Therefore, the fundamental question remains: if there is no established, well-functioning healthcare delivery system to support, what will the NHS help?

The National Health Stack: An Expensive, Temporary Placebo

Also Read: Lessons From Rajasthan For India’s Latest Universal Health Coverage Programme

NHS: What Purpose Does It Serve?

The ambitious scope of the National Health Stack consultation paper aside, the central problem plaguing the Indian healthcare system, i.e, delivery, and access to healthcare, remains unaddressed. The first two problems that the NHS aims to solve focus solely on increasing health insurance coverage. However, very problematically, the document does not explicitly mention how a digital infrastructure would lead to rising enrollment of both beneficiaries and service providers of insurance.

This goal of increasing enrollment without a functioning healthcare system could result in two highly problematic scenarios.

Either health and wellness centres will effectively act as enrollment agencies rather than providers of healthcare, or the government would fall back on its ‘Aadhar approach’ and employ external enrollment agents.

The former approach runs a very real risk of the health and wellness centres losing focus on their primary purpose even while statistics show them as functioning centres – thus negatively impacting even the working centres. The latter approach is at a higher risk of running into problems akin to the case of Aadhaar enrollment, such as potential data leakages, identity thefts and a market for fake IDs. Even if we somehow overlook this and assume that the NHS would help increase insurance coverage without additional problems, the larger question still stands: should health insurance even be the primary goal of the government, over and above providing access to healthcare? And what effect will this have on the actual delivery of healthcare services to the common citizen?

A lone patient sleeps in the post operation recovery ward of the district hospital in Jind, Haryana, India. (Photographer: Prashanth Vishwanathan/Bloomberg)
A lone patient sleeps in the post operation recovery ward of the district hospital in Jind, Haryana, India. (Photographer: Prashanth Vishwanathan/Bloomberg)

Should Insurance Be A Primary Objective Of The Indian Government?

Simply put, the answer is no, because greater insurance coverage need not necessitate better access to healthcare. In recent years, health insurance in India has been rising rapidly due to government-sponsored schemes. In the fiscal year 2016-17, the health insurance market was prized to be worth Rs 30,392 crore. Even with such large investments in insurance premiums, the insurance market accounts for lesser than 5 percent of the total health expenditure.

Furthermore, previous experiences with government-sponsored health insurance schemes have proven that there is little merit to such an expensive task.

For instance, the government’s earlier health insurance scheme, Rashtriya Swasthya Bima Yojana, was predicted to be unable to completely provide ‘accessible, affordable, accountable and good quality health care’ if it focussed only on “increasing financial means and freedom of choice in a top-down manner”.

These traditional insurance-based models are characterised by problems of information asymmetry such as ‘moral hazard’ — patients and healthcare providers have no incentive to control their costs and tend to overuse, resulting in an unsustainable insurance system and cost inflation. Any attempt to regulate providers is met with harsh, cost-cutting steps which end up harming patients.

On another note, some diseases which are responsible for the most number of deaths in the country — including ischaemic heart diseases, lower respiratory tract infections, chronic obstructive pulmonary disease, tuberculosis and diarrhoeal diseases — are usually chronic conditions that need outpatient consultation, resulting in out-of-pocket expenses.

Patients wait at the Head and Neck Cancer Out Patient department of Tata Memorial Hospital in Mumbai, India. (Photographer: Prashanth Vishwanathan/Bloomberg News)
Patients wait at the Head and Neck Cancer Out Patient department of Tata Memorial Hospital in Mumbai, India. (Photographer: Prashanth Vishwanathan/Bloomberg News)

Even though the government has added non-communicable diseases under the ambit of the health and wellness centres, there are still reports stating that for some of the most impoverished, their reality is that 80 percent of the time, they have to cover their expenses from their pocket. This issue in all probability will continue to exist since the status and likelihood for these centres to be successful itself is questionable.

It is clear, that in the current scheme of things, this traditional insurance model of healthcare cannot benefit those it is meant for.

If this is the case, why has the NHS built its main objectives around insurance coverage rather than access to healthcare? It is imperative that we question the legitimacy of these goals, especially if they indicate the government’s intentions to push health insurance via the NHS above its responsibility of delivering healthcare. The government’s thrust for a digital infrastructure shows tremendous foresight, but at what cost? Even the clear goal of healthcare data portability has very little benefit when one understands that this becomes an important goal only when one has given up on ensuring widespread accessible healthcare. Once the focus shifts from using technology needlessly to developing an efficient and universally accessible healthcare delivery system, the need for data portability dramatically reduces. The temptation of digitisation and insurance coverage cannot and should not blind us from the main goal — access to healthcare. The one lesson that we must learn from the case of the U.K. is that even with a well-functioning healthcare delivery system, a digital infrastructure must be introduced very thoughtfully and carefully. In our eagerness to leapfrog with technology, we must not mistake a placebo for a panacea.

Murali Neelakantan is an expert in healthcare laws. Swaraj Barooah is Policy Director at The Centre for Internet and Society. Swagam Dasgupta and Torsha Sarkar are interns at The Centre for Internet and Society.

Related posts

India – Activists call for scrapping of UIDAI #ScrapAadhaar #DestroyAadhaar

Aadhaar in time of data theft scare:

While many activists advocate for UIDAI to be shut down to put an end to the debate, the call has had little success over the months.

Express News Service

COIMBATORE: The introduction of Aadhaar has not gone well with a large section of the masses, given the issue of privacy and date security.

The challenge put forth by TRAI (Telecom Regulatory Authority of India) Chief R S Sharma and the way it backfired only helped spread the apprehensions over Aadhaar and UIDAI’s (Unique Identification Authority of India) ability to hold sensitive information secure.

While many activists advocate for UIDAI to be shut down to put an end to the debate, the call has had little success over the months.

Usha Ramanathan, a Supreme Court lawyer, is a strong advocate of this idea. “The only solution to keep our identity and data safe is to scrap UIDAI,” she tells Express.

Explaining the mechanism behind Aadhaar, she explains that it will use three numbers — Jandhan Yojana (bank account number), Aadhar number and Mobile number (JAM) — to identify someone.

“As these three numbers are linked everywhere and is mandatory in the government system, our data has become insecure,” she claims. She points out that with this information, identity theft would become far more dangerous.

While the Supreme Court has stayed the government order making Aadhaar mandatory for many of its schemes, the Central government has ignored the order and made Aadhaar as the primary identification proof for a lot of services.

“After the court ruled that privacy is a fundamental right, the Centre asked what harm would come of (someone) having your data. They could not accept that creating such a vulnerable system itself was harmful enough and once someone had our information, then it is very easy to play around with it,” she says, citing several incidents of creating bank accounts and fake insurance policies, without even the consent of the person concerned.

Speaking about the system’s vulnerability, a Coimbatore-based member of Cyber Society of India S N Ravichandran says that hackers could even extract money from an individual’s bank account by using their Aadhaar details. “Once the data is out to private partners and other enterprises at the time of registering for a service or getting a SIM card, you cannot protect it anymore,” he says.

Besides, the system of redressal also seems a little out of reach. Even if you were to find out that your bank account was hacked with the help of your Aadhaar details, according to UID Act, it would be the UIDAI and not you who can file a complaint, points out Ravi.

Denying the charges raised by Ravi that the system is vulnerable and could lead to a data breach, Bengaluru-based data scientist G Arvind claims that Aadhaar is completely safe. Any breach in data or incidents of misuse could not have happened without the consent of the individual, he suggests.

While public worry that their data is being passed on to private mobile operators, Arvind clarifies that Aadhaar only gives access to validate the identity number under the Know Your Customer portal and not the individual’s data.

Officials of UIDAI working in South India refused to comment on the aspect of data security.

Related posts

The #Aadhaar Challenge and the harm unleashed on people

In an India where every government document had to be attested by a gazetted officer, the pendulum has swung to the other extreme.

TRAI chairman R. S. Sharma

 TRAI chairman R. S. Sharma

Instead of examining the harm caused to the country by Aadhaar, R.S. Sharma asked the public to demonstrate the harm it can cause to him. When public officials think about private interests being harmed before protecting public and national interests, they fail to protect either. MrSharma’s Aadhaar Challenge has exposed the corruption of public policy by self-interest.

On July 28, Telecom Regulatory Authority of India (TRAI) chairman R.S. Sharma put out his Aadhaar number on Twitter and challenged anyone to harm him.

Mr Sharma’s ‘challenge’ underlines not just his ignorance about Aadhaar but also his indifference to public interest, governance, financial integrity of the economy and even national security. Given that he was the director general of the Unique Identification Authority of India (UIDAI) during the conception, design and early implementation of Aadhaar, it is a damning testimony to the project, to put it mildly.

The Aadhaar that Mr Sharma helped build is a twelve-digit number associated with biometric and demographic data that the UIDAI doesn’t certify. It doesn’t verify whether the biometric and demographic data belong to a real individual, whether any individual who filled up the form was identified by a UIDAI official, whether real and verified documents were used as proof of identity (PoI) and proof of address (PoA), or even if any of the data captured is true and correct. The UIDAI doesn’t even have any information about the actual PoI and PoA documents used. In fact, the UIDAI doesn’t even verify if the enrolment operator was even in the village or town where enrolments happened. The UIDAI has never undertaken an audit of its Aadhaar data.

In an India where every government document had to be attested by a gazetted officer, the pendulum has swung to the other extreme. Biometric and demographic data submitted by private operators to the UIDAI is suddenly being used to replace legally valid, legitimate identification documents issued and certified by government officers. Once the Aadhaar replaces existing documents, it causes unprecedented harm to the country as there is no way to distinguish real individuals, on-boarded through careful legal process by government officials, from those added through the Aadhaar database.

Senior bureaucrats who realise this for the first time, are utterly shocked. They have never realised how the Trojan Horse of Aadhaar got into their department or ministry. An uncertified biometric or demographic has no legal value and causes incalculable harm to the country.

The biometric, Mr Sharma and his then-chairman Nandan Nilekani told us, is unique. Neither explained why you need a number to retrieve the data if the biometric is unique. The biometric query should have resulted in a unique record being retrieved. The UIDAI confirms that the biometric can’t retrieve a unique record. In fact, they don’t even know how many unique biometrics exist in the entire database. Astonishingly UIDAI’s affidavit to the Supreme Court in the WP 494 of 2012 and associated matters indicates that at least 600 crore Aadhaar numbers out of 1,200 crore have never been used to authenticate any transaction ever. Clearly, there is no merit in any claim that the biometrics can be the basis for unique entries in the Aadhaar database and the Aadhaar database is free from ghosts and duplicates. From the looks of it, at least 60 crore numbers in the database are ghosts and duplicates.

Mr Sharma’s Aadhaar challenge is the shocking irresponsibility of a public official who sidesteps the questions of the national interest and validity of using the Aadhaar for anything at all. It is indifferent to the harm and implications of using — and replacing — legal and valid IDs issued by government officials with an uncertified, unverified, unaudited and non-unique number.

Mr Sharma’s Aadhaar challenge highlights his non-comprehension about the harm caused by using Aadhaar in government databases on our sovereignty, democracy and republic; our national security; the integrity of our financial transactions and economy; ensuring good governance; and eradicating corruption.

Is there no harm when a nation cannot distinguish its own from imposters? How then can it protect its sovereignty, democracy and republic? After Aadhaar, government departments and private service providers have stopped recognising those whom they knew for decades. This is just like AIDS where the body fails to distinguish the self from non-self and destroys itself. What national or public interest is served in infecting the nation with this disease? What national and public interest is served in protecting the disease as the nation dies a painful death?

It is astonishing that Mr Sharma has failed to reflect on the objections and concerns that the Reserve Bank of India raised to his letters, during his tenure as the DG of UIDAI, to the then RBI governor, Dr Duvvuri Subbarao. Mr Sharma and Mr Nilekani had pressured the RBI to enable Aadhaar as the KYC to open bank accounts and to allow eKYC to allow opening of bank accounts in the absence of the customer solely on the basis of such ridiculous Aadhaar data. Neither he nor the UIDAI have studied, understood, cared or taken responsibility for the consequences they unleashed. If the Airtel Payments Bank alone having opened 37 lakh bank accounts that received `167 crore of LPG subsidy is a matter for concern, then the doubling of bank accounts and doubling of deposits, in just the first five years of use of Aadhaar to open bank accounts, should be a matter of alarm and investigation. No one knows whose money sits in these accounts and who regulates these accounts opened on the basis of uncertified, unverified, unaudited and non-unique numbers.

It is amazing that Sharma is unable to notice the harm that neither the finance ministry nor any other ministry knows who the beneficiaries of government benefits and subsidies are. Even today they continue to claim that uncertified, unverified, unaudited and non-unique numbers have identified and eliminated duplicates and ghosts in non-existent databases.

Does Mr Sharma fail to see the harm that the taskforce on Direct Transfer of Subsidies under the chairmanship of Mr Nilekani of which he was a member caused? Since June 2011, this task force unleashed UIDAI’s colonisation of every relationship and department that delivers subsidies or benefits even though the UIDAI takes no responsibility to ensure the delivery of service. Isn’t it harm, Mr Sharma, when you destroy governance by allowing third parties like the UIDAI and NPCI, who have no skin in the game or consequence of their action, to corrupt the relationship between the people and their government or service providers?

Evidently, Mr Sharma also fails to recognise the harm of exclusion caused to hundreds or crores of people as Aadhaar colonises and corrupts existing databases. Mr Sharma fails to recognise the harm caused by UIDAI by putting at least 85 lakh persons to civil death until 2016 by disabling their Aadhaar. Mr Sharma fails to realise the harm of corruption as, according to Mr Nilekani, Rs 95,000 crore were transferred through Aadhaar payments to uncertified, unverified and unaudited accounts in the last financial year itself.

Mr Sharma, the Aadhaar challenge is not about what harm exposing your Aadhaar number will do to you. It is about ending the harm that the Aadhaar has unleashed on the country and its people. It is about ending the harm caused by colonising, corrupting and destroying people’s relationships with their government and their service providers.

Dr Anupam Saraph, PhD, is a Professor and Future Designer

Related posts

India – The Poor done by #Aadhaar

The poor are the guinea pigs for immature financial technologies

Vimla Devi is a poor widow who lives in Kodakel village of Khunti district in Jharkhand. In a short video circulated recently on Twitter, she explains how she has been running from pillar to post for months to find out what happened to her pension. When she enquires at the block or district offices, she is told that her pension is being paid regularly every month. Her bank statement, however, suggests that the monthly payment of Rs 600 stopped after September 2017.

It turns out that Vimla’s money is going to an Airtel wallet she knows nothing about, or rather knew nothing about until a team from Jharkhand’s right to food campaign looked into the matter on May 27, 2018. With some effort, her money can probably be retrieved from the wallet. But thousands of other people like her in Jharkhand who are also being swindled by Airtel may not be so lucky. The victims include not only pensioners but also other recipients of the so-called ‘direct benefit transfer’ payments.

When Vimla’s testimony was tweeted, one puzzled reader asked – “How can pension money be sent to an Airtel wallet?” The question shows that even the educated middle class knows little about the pathologies of the Aadhaar Payments Bridge System. Indeed, the credit for this goof-up, so to speak, goes not only to Airtel but also to the APBS and its progenitors, the Unique Identification Authority of India and the National Payments Corporation of India.

The goof-up begins with the opening of an Airtel wallet behind the customer’s back. This happens, or rather used to happen, as follows. One way of buying an Airtel SIM card is to use Aadhaar-based biometric authentication to identify yourself. This enables Airtel to access your demographic information from the UIDAI’s Central Identities Data Repository. In the process, apparently, you ‘consented’ to the opening of an Aadhaar-linked Airtel wallet. Perhaps this was actually optional: according to one account, consent took the form of clicking on a box in a pop-up window. The fact remains that many people exercised that option without knowing it or meaning to. Did you check the details of the ‘terms and conditions’ last time you ticked boxes to buy a SIM card or make a payment online? I doubt it.

So far so bad. But how did Vimla’s pension end up in that stealth wallet? That is where the APBS comes in. The wizards of APBS want Aadhaar to become a “financial address”, as the UIDAI puts it. Today, if I want to send you money by electronic bank transfer, I need your name, account number, and IFSC code. And if you change your bank account, I will need the new details. With APBS, your Aadhaar number will suffice – if your bank account is linked with Aadhaar, APBS will find it wherever it is (using the ‘NPCI mapper’).

But there is a catch – what if you have several bank accounts? The answer, at least for now, is that APBS sends the money to whichever account was most recently linked with Aadhaar – let us call this the ‘latest Aadhaar linked account’ rule. Very few people, however, know about the LALA rule. Vimla Devi, for one, has never heard about it. Yet it is this brilliant rule that automatically diverted her pension from her Bank of India account to her Airtel wallet.

Fortunately, the victims of the Airtel scam include relatively privileged and educated people who raised the alarm bells a few months ago when their LPG subsidy started finding its way to Airtel wallets. According to media reports, Airtel was pulled up by the UIDAI and had to pay a fine of Rs 2.5 crore aside from returning Rs 190 crore to 31 lakh customers affected by the diversion of LPG subsidies. But what did not happen, evidently, is the cancellation of all Aadhaar-linked Airtel wallets. That is why people like Vimla continue to search in vain for their pension money or other cash benefits. As someone aptly commented on Twitter, “[If] unauthorised Airtel wallets are still operational… the 2.5 crore penalty paid now sounds more like a bribe than anything else.”

The Airtel scam is just one example of the hazards of the LALA rule. Because most people don’t know the rule, they often spend time and money looking for their cash benefits in the wrong place. This is especially unkind to the elderly, single women and disabled persons, for whom every visit to the bank can be an ordeal. Among other tragic victims of the LALA rule is Premni Kunwar in Garhwa district (Jharkhand), who died of hunger last year after her pension was diverted to someone else’s account because her Aadhaar number had been wrongly linked to it. Incidentally the APBS, like Airtel wallets, has a veneer of “informed consent”, but in practice, consent is a fiction, at least for people like Vimla Devi and Premni Kunwar.

Further, the LALA rule is just one of the many hurdles that are being faced today by recipients of DBT payments. The term, ‘DBT’, is a little confusing, but in practice, it seems to refer to cash benefits delivered through Aadhaar-linked bank accounts (not necessarily via APBS). To facilitate DBT, Aadhaar-linked bank accounts were opened en masse in the early days of the Jan Dhan Yojana. Many of them were unwanted or redundant accounts that were later declared “dormant” by the banks or even closed without people’s knowledge. Others were frozen because the account holder was unable to meet the ‘e-KYC’ requirements (including biometric authentication), imposed ex post. Inconsistencies among the Aadhaar database, bank records and other databases such as pension lists or job cards also affected the DBT system. All this created serious problems for DBT recipients, from pensioners and National Rural Employment Guarantee Act workers to pregnant women who are struggling to claim their maternity benefits.

One example, among others, is the problem of “rejected” NREGA wage payments. According to official data from the ministry of rural development, close to Rs 500 crore of NREGA wage payments were rejected in 2017-18, of which Rs 321 crore was still pending last May. The rejections come with all sorts of obscure error codes that local officials, let alone NREGA workers, find difficult to understand.

One of the error codes, for instance, is “inactive Aadhaar”. None seems to know what this stands for. When James Herenj, coordinator of NREGA Watch in Jharkhand, asked the UIDAI for a clarification under the Right to Information Act, the UIDAI pleaded ignorance and forwarded the query to the MoRD, where it was redirected to the Jharkhand government. Unable to clarify, the Jharkhand government helpfully suggested going back to the MoRD.

I am mentioning Jharkhand because that is where I live, but similar problems are bound to exist in other states. Depriving pensioners or NREGA workers of their meagre incomes, without putting in place effective assistance facilities, is a glaring injustice. Interestingly, the UIDAI had no difficulty in recognizing the injustice when it came to the diversion of LPG subsidy. Swift action was taken and an audit was even commissioned from PricewaterhouseCoopers. Meanwhile, poor people continue to be treated as guinea pigs for immature financial technologies. What needs auditing is not just Airtel’s antics but the entire DBT system and, especially, APBS. But with the UIDAI safely ensconced behind a thick wall of impunity, who will bell the cat?

The author is Visiting Professor at the Department of Economics, Ranchi University

Related posts

India – Cracking eAadhaar password in 2 seconds with Maths #mustshare

Somdev Sangwan

This article is already kind of lengthy so let’s get straight to the point.

Every eAadhar letter is locked with a password which is a fixed string of following schema:

first_four_letters_of_name_in_uppercase + year_of_birth

Basically there are 4 uppercase alphabets & 4 digits involved. So how many combinations can be generated from 4 uppercase alphabets and 4 digits? The answer is 2821109907456 and it would take 90 years to crack the password if we try 1000 combinations per second.

Ain’t nobody got time for that!

Time for some maths & shit!

Opps! We just made a mistake here, we don’t have to calculate all the combinations because the password is in this form:

 (4 uppercase letters)      (4 digits)
       (Group 1)            (Group 2)

The alphabets are in a group and lie before the digits which are also grouped so there’s no possibility that they can be mixed to form a combination like S2N65GE1 . So how many combinations are possible after considering that?

Lets calculate the number of combinations of 4 letters which can be formed by 10 digits i.e. 0-9 :

(10)⁴ = 10000

So there will be 10000 possible combinations. Great! Now lets calculate the same for alphabets.

(26)⁴ = 456976

And all the combinations of 10000 digit and 456976 alphabets combinations will be:

456976 * 10000 = 4569760000

And if we try 1000 combinations in 1 second we will need this much of time

4569760000 / 1000 = 4569760 seconds
52 days 21 hours 22 minutes and 40 seconds

Yay! We just decreased the time required from 92 years to 53 days!
The change is orgasmic but it’s still too much. What else can be done?

Here’s the catch, these are just not 4 alphabets and 4 digits, these are first letters of the name & year of birth of someone.

A human can live up to 100 years which means someone born in 1642 can’t be alive and hence can’t have an Aadhar card.
Time traveling is also impossible at the moment which means someone who is going to be born in 2594 can’t travel back to the time to get an Aadhar card.

So the combinations ranging from 0000–9999 aren’t valid. We just need the 1918–2018 range which covers humans of age 0 to 100.

So now the number of combinations and time required is:

456976 * 100 = 45697600 combinations
45697600 / 1000 = 45697.6 seconds
12 hours 41 minutes 37 seconds

That’s some really nice progress! It’s still too much tho. Can we go any lower than that? Yes we can but we will lose some of the accuracy but that doesn’t matter when you have to crack a lot of password and it’s actually better, you will read about it in the end.

Just like all the combinations of digits weren’t valid years of birth, similarly AAAA or PZVS aren’t valid four first for letters of an indian name.

So what would an attacker do? Well here’s what I did:

I used my Photon to scrape names from a website which was basically a directory of Indian names and I found 3283 unique names! I used the following command to extract the first 4 letters and filtering out the duplicates

grep -oP ”^\w{4}” custom.txt | sort | uniq | dd conv=ucase

These are 1598 entries! There were many duplicates, for example the first four letters in the names Sanjeev & Sanjit are same.

Are you thinking that 1598 prefixes are too low for a population of 1.6 billion? Yep, that’s kinda of true but these are not names, these are prefixes! The wordlist can be found here, feel free to search first four letters of your name in it and most likely you will get a match. If I had proper time, I would have scraped around 10000 names from different websites and I think that would make 3000 unique prefixes. But let’s consider it 1598 for now.

Anyway, let’s calculate the time required now

1598 * 100 = 159800 combinations
159800 / 1000 = 159.8 seconds
2 minutes 39.8 seconds

Hell yeah! Now what? The article promises that we can further reduce this time to 2 seconds but how?

First of all,2 minutes and 39.8 seconds is the time required to try all the combinations at a rate of 1000 combinations / second. But what if the 11th combination matches the password? or the last one? or the first?

So if we can somehow alter the probability of matching a password early in the combination list that would drastically reduce the required time.

Let’s use some facts for that!

According to this wikipedia entry

India has more than 50% of its population below the age of 25 and more than 65% below the age of 35.

So instead of creating combinations with age 01–100, a smart move would be to try this:

  1. 25 – 01 (reversed because young ones are not likely to have an aadhar card)
  2. 25 – 35
  3. 36 – 100

So if we take the age statistics into account, the chance of matching the correct password in first 1598 * 25 = 39950 combinations is 50% which means we will crack half of the passwords in 39950 / 1000 = 39.95 seconds! And in the next (1598 * 10) / 1000 = 15.8 seconds , we will have %15 more passwords! So basically we will have 65% of the passwords in 55.9 seconds . We have come a really long way!

Can we go any lower? Yes we can!

I have a list of 100 most popular Indian names and that’s just a google search away. So I can put those names earlier in the list and boost the probability of matching the password earlier.

You know what? 80% of India’s population is Hindu so if we put Hindu names earlier in the list then we will be able to crack 80% of the passwords without even trying the rest 20%.

So how much time did we managed to decrease with this approach overall? Let’s analyze!

We are using 100 most popular names earlier in the list, what that means? Let’s say India’s 15% population uses these names. I personally believe the percentage is more than that but let’s stay on the safe side. Well so we will be able to crack 15% passwords right away! And for 80% of the rest 85% names (100% – 15%) will be hindu names so that means we will be able to crack around 79% (considering 1% popular names aren’t hindu) names in the next 65% tries!

I am sorry! I forgot about the age thing? Let’s consider everything and try to calculate the time required to crack passwords of 100 people.

Lets divide them into groups first!

100 : Total People {
    50 : People 00-25yo{
        7 : People with popular name,
        43 : People without popular name {
            34 : Hindus,
            9 : Non-Hindus
    15 : People 00-25yo{
        3 : People with popular name,
        13* : People without popular name {
            10 : Hindus,
            3 : Non-Hindus
    45 : People 35-100yo{
        7 : People with popular name,
        38 : People without popular name {
            30 : Hindus,
            8 : Non-Hindus

Now let’s create an algorithm to effectively crack passwords

The numbers in red represent the priority of search space. For example, the combinations for people lying in group 1 will be tried first, then 2, then 3 and so on.

How much time it’s gonna take to crack passwords for all of them?

Instead of trying different combinations for a password. We will use sets of passwords suggested by the algorithm one by one on all passwords.
Phase #1
1 = 11 seconds for cracking 7 passwords
2 = 3 seconds for cracking 3 passwords
3 = 11 seconds for cracking 7 passwords
We have cracked password for 17 people so far, 83 people left.
Now remove all these combinations from the combination list and
try next set of combinations i.e. combinations for 4, 5 and 6.
Phase #2
4 = 54 seconds for cracking 34 passwords
5 = 16 seconds for cracking 10 passwords
6 = 47 seconds for cracking 30 passwords
Phase #3 (after deleting combinations for previous phase)
7 = 14 seconds for cracking 9 passwords
8 = 5 seconds for cracking 3 passwords
9 = 12 seconds for cracking 8 passwords
Total time taken: 11 + 3 + 11 + 54 + 16 + 47 + 14 + 5 + 12 = 173 seconds i.e. 2 minutes 13 seconds
Total passwords cracked: 100
Average time per password: 173/100 = 1.73 seconds

From 92.27 years to 1.73 seconds, it was an amazing journey. Wasn’t it?

This story is published in Noteworthy, where thousands come every day to learn about the people & ideas shaping the products we love.


Related posts