This PR from @UIDAI yet again proves how Aadhaar is malleable beyond any scrutiny.

(Now withdrawn:

A thread on the history of how this has changed over time.
@pramodkvarma (Chief Architect, Aadhaar) 's presentation in 2010 at IITB claimed Aadhaar will only have "YES/NO" response.
@NandanNilekani (then Chairman, UIDAI) claimed the same in a presentation to the World Bank on April 24 2013.

> Only YES/NO response, no details - no invasion of privacy.

The same presentation voids this claim by mentioning eKYC
The eKYC APIs currently return:

- Name, UID, DOB, Gender, Phone, Email, Address
- Address in local language
- Digitally signed e-Aadhaar PDF

Aadhaar went from a "YES/No" system to a surveillance API in a span of years. (Section 3.4.1)
This is a major issue with Aadhaar: A xerox is identical to your original Aadhaar, and holds the exact same information.

It needs to be digitally authenticated to be worth anything, but not everyone could do so.
So UIDAI "morphed" Aadhaar again to fix this issue by e-Aadhaar with a QR code for offline verification.

You can scan the QR and read the information on the QR code.
So e-Aadhaar showed up.

April 2017, from a UIDAI Circular:

> "downloaded e-Aadhaar should be treated at par with printed Aadhaar"
Now an e-Aadhaar by itself only validates that the information is valid, but it doesn't validate whether the bearer is the same person as on the document.

So photo were added into the e-Aadhaar QR code (which got signed). So, you could scan an Aadhaar, and match the photo.
By 2018, Aadhaar has now gone from a "YES/NO" API to a printout that carries your low-res photo that anyone can still use for identity theft.

What about "PVC cards"?
Feb 2018, UIDAI Press Release

> The print out of the downloaded Aadhaar card, even in black and white form, is as valid as the original Aadhaar letter sent by UIDAI. There is absolutely no need to print it on plastic/PVC card or get it laminated.
Quick security aside: Your goal in infosec is to make fraud economically unfeasible. Fraudsters will always find a way, but you must keep the cost of an attack high enough for it to be unfeasible.

eg: Captchas are fallible, but its an economic barrier to what they protect.
(Twitter deleted the rest of my tweets, so re-typing)

Common security guidelines include things like holograms, watermarks (costly to forge). UIDAI decided against these by saying no to PVC cards.
In 2020, Aadhaar morphed again to offer a PVC card with the usual security features.

It costs 50 INR.
However, the old Aadhaar printouts, letters remain as valid as always. No statement from UIDAI asking users to upgrade.

The world's largest Identity Program has ever-shifting security and privacy guarantees, but there's no accountability from UIDAI.

You can follow @captn3m0.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: