Read on Twitter
This PR from @UIDAI yet again proves how Aadhaar is malleable beyond any scrutiny.
(Now withdrawn: https://pib.gov.in/PressReleseDetailm.aspx?PRID=1829162)
A thread on the history of how this has changed over time. https://twitter.com/PIBTvpm/status/1530174793118384128
(Now withdrawn: https://pib.gov.in/PressReleseDetailm.aspx?PRID=1829162)
A thread on the history of how this has changed over time. https://twitter.com/PIBTvpm/status/1530174793118384128
@pramodkvarma (Chief Architect, Aadhaar) 's presentation in 2010 at IITB claimed Aadhaar will only have "YES/NO" response.
https://www.cse.iitb.ac.in/~comad/2010/pdf/Industry%20Sessions/UID_Pramod_Varma.pdf
https://www.cse.iitb.ac.in/~comad/2010/pdf/Industry%20Sessions/UID_Pramod_Varma.pdf
@NandanNilekani (then Chairman, UIDAI) claimed the same in a presentation to the World Bank on April 24 2013.
https://thedocs.worldbank.org/en/doc/365321447690002793-0050022015/render/DECLectureNandanNilekaniPresentation.pdf
https://www.worldbank.org/en/news/video/2013/04/24/the-science-of-delivering-on-line-ids-for-a-billion-people-the-aadhaar-experience
> Only YES/NO response, no details - no invasion of privacy.
The same presentation voids this claim by mentioning eKYC
https://thedocs.worldbank.org/en/doc/365321447690002793-0050022015/render/DECLectureNandanNilekaniPresentation.pdf
https://www.worldbank.org/en/news/video/2013/04/24/the-science-of-delivering-on-line-ids-for-a-billion-people-the-aadhaar-experience
> Only YES/NO response, no details - no invasion of privacy.
The same presentation voids this claim by mentioning eKYC
This lie continues to be repeated by @UIDAI on their official website:
https://uidai.gov.in/289-faqs/your-aadhaar/protection-of-individual-information-in-uidai-system/1942-what-are-the-privacy-protections-in-place-to-protect-the-right-to-privacy-of-the-resident.html
https://uidai.gov.in/289-faqs/your-aadhaar/protection-of-individual-information-in-uidai-system/1942-what-are-the-privacy-protections-in-place-to-protect-the-right-to-privacy-of-the-resident.html
The eKYC APIs currently return:
- Name, UID, DOB, Gender, Phone, Email, Address
- Address in local language
- Digitally signed e-Aadhaar PDF
Aadhaar went from a "YES/No" system to a surveillance API in a span of years.
https://uidai.gov.in/images/aadhaar_ekyc_api_2_0.pdf (Section 3.4.1)
- Name, UID, DOB, Gender, Phone, Email, Address
- Address in local language
- Digitally signed e-Aadhaar PDF
Aadhaar went from a "YES/No" system to a surveillance API in a span of years.
https://uidai.gov.in/images/aadhaar_ekyc_api_2_0.pdf (Section 3.4.1)
Another point of malleability: What counts as a "valid Aadhaar".
In 2013, UIDAI claimed:
>the cut away portion of Aadhaar letter is as an officially valid document
(This is wrong, the law says "subject to authentication") https://economictimes.indiatimes.com/news/politics-and-nation/cut-away-portion-e-aadhaar-valid-proofs-of-identity-address-uidai/articleshow/20860633.cms
In 2013, UIDAI claimed:
>the cut away portion of Aadhaar letter is as an officially valid document
(This is wrong, the law says "subject to authentication") https://economictimes.indiatimes.com/news/politics-and-nation/cut-away-portion-e-aadhaar-valid-proofs-of-identity-address-uidai/articleshow/20860633.cms
This is a major issue with Aadhaar: A xerox is identical to your original Aadhaar, and holds the exact same information.
It needs to be digitally authenticated to be worth anything, but not everyone could do so.
It needs to be digitally authenticated to be worth anything, but not everyone could do so.
So UIDAI "morphed" Aadhaar again to fix this issue by e-Aadhaar with a QR code for offline verification.
You can scan the QR and read the information on the QR code.
You can scan the QR and read the information on the QR code.
So e-Aadhaar showed up.
April 2017, from a UIDAI Circular:
> "downloaded e-Aadhaar should be treated at par with printed Aadhaar"
https://uidai.gov.in/images/uidai_om_on_e_aadhaar_validity.pdf
April 2017, from a UIDAI Circular:
> "downloaded e-Aadhaar should be treated at par with printed Aadhaar"
https://uidai.gov.in/images/uidai_om_on_e_aadhaar_validity.pdf
Now an e-Aadhaar by itself only validates that the information is valid, but it doesn't validate whether the bearer is the same person as on the document.
So photo were added into the e-Aadhaar QR code (which got signed). So, you could scan an Aadhaar, and match the photo.
So photo were added into the e-Aadhaar QR code (which got signed). So, you could scan an Aadhaar, and match the photo.
Feb 2018: https://www.livemint.com/Politics/5Gr7j4bgNoLRVtf10cjrzK/To-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar.html
> UIDAI has recently replaced existing QR code on eAadhaar having resident’s demographic details now with a secured digitally-signed QR Code which contains demographics along with photograph of the Aadhaar holder
> UIDAI has recently replaced existing QR code on eAadhaar having resident’s demographic details now with a secured digitally-signed QR Code which contains demographics along with photograph of the Aadhaar holder
By 2018, Aadhaar has now gone from a "YES/NO" API to a printout that carries your low-res photo that anyone can still use for identity theft.
What about "PVC cards"?
What about "PVC cards"?
Feb 2018, UIDAI Press Release
> The print out of the downloaded Aadhaar card, even in black and white form, is as valid as the original Aadhaar letter sent by UIDAI. There is absolutely no need to print it on plastic/PVC card or get it laminated.
https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1519253
> The print out of the downloaded Aadhaar card, even in black and white form, is as valid as the original Aadhaar letter sent by UIDAI. There is absolutely no need to print it on plastic/PVC card or get it laminated.
https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1519253
Quick security aside: Your goal in infosec is to make fraud economically unfeasible. Fraudsters will always find a way, but you must keep the cost of an attack high enough for it to be unfeasible.
eg: Captchas are fallible, but its an economic barrier to what they protect.
eg: Captchas are fallible, but its an economic barrier to what they protect.
(Twitter deleted the rest of my tweets, so re-typing)
Common security guidelines include things like holograms, watermarks (costly to forge). UIDAI decided against these by saying no to PVC cards.
Common security guidelines include things like holograms, watermarks (costly to forge). UIDAI decided against these by saying no to PVC cards.
In 2020, Aadhaar morphed again to offer a PVC card with the usual security features.
It costs 50 INR.
https://twitter.com/UIDAI/status/1314431527422287872
https://uidai.gov.in/contact-support/have-any-question/1024-faqs/aadhaar-online-services/order-aadhaar-pvc-card-online.html
It costs 50 INR.
https://twitter.com/UIDAI/status/1314431527422287872
https://uidai.gov.in/contact-support/have-any-question/1024-faqs/aadhaar-online-services/order-aadhaar-pvc-card-online.html
However, the old Aadhaar printouts, letters remain as valid as always. No statement from UIDAI asking users to upgrade.
The world's largest Identity Program has ever-shifting security and privacy guarantees, but there's no accountability from UIDAI.
~FIN~
The world's largest Identity Program has ever-shifting security and privacy guarantees, but there's no accountability from UIDAI.
~FIN~
