Ajay Bhushan Pandey, CEO of the Universal Identification Authority of India (UIDAI), the agency that implements India’s controversial Aadhaar project, shared his authentication logs with the Constitutional bench of the Supreme Court last week.
His aim, ostensibly, was to show how Aadhaar incorporates “privacy by design”, to quote the accompanying power-point presentation.
It wasn’t long before Aadhaar critics on Twitter poured through his logs and proved just the opposite.
Cybersecurity analyst and software developer, Anand Venkatanarayanan, revealed how just looking at six months worth of authentication data could offer clues to Pandey’s physical movements, his phone service provider, the banks where he has his accounts, and even his daily schedule.
Two failed attempts to link his ICICI bank account to his Aadhaar at midnight on Republic Day, for instance, suggests seeding bank accounts with Aadhaar is giving the UIDAI CEO sleepless nights as well.
Other gems include the fact that only one transaction in the past six months was authorised using his biometrics. The transaction, which was conducted at IDFC bank a day before the Court re-convened to discuss the Aadhaar matter, failed.
Privacy advocates have long maintained that seeding Aadhaar with other forms of identification allows for the creation of detailed databases that can be used to track citizens.
Read the thread to know more about Pandey’s life.
OK. OTP linking at midnight. He definitely has 3 accounts with ICICI Bank. May be a credit card (OR) 2 bank accounts (OR) 3 bank accounts. He has linked them all on Republic day. So he was not in office but is doing it from his home. Why 3 accounts? UKC:XXX is different.
OK. OTP linking at midnight. He definitely has 3 accounts with ICICI Bank. May be a credit card (OR) 2 bank accounts (OR) 3 bank accounts. He has linked them all on Republic day. So he was not in office but is doing it from his home. Why 3 accounts? UKC:XXX is different. pic.twitter.com/RIPGA18rDl
Another “Internal Auth Service Monitoring” at Republic day at 7 PM? Hmnn, he was probably in office checking out some data centers. May be they have a special PIN based terminal for him to go in. That is one hypothesis. Let us keep that to ourselves for now. pic.twitter.com/3BnKZpfDJd
He used “UIDAI Services”. That is not an internal AUA and not a public one. So we can conclude that he was browsing the web then from the confines of his office during this time among other things.