Aadhaar is a Sanskrit word which means ‘foundation’ or ‘basis’; the phonetically
close Sanskrit word “Adhar” means ‘in-between’ or ‘incomplete’. The
Government’s effort for Unique Identification (UID) for all CITIZENS is in Adhar
and not in Aadhaar because Aadhaar is UID for all RESIDENTS, including
illegal residents. Worse still, Aadhaar is one of the primary routes for
getting government benefits from various schemes. This implies that a reasonably
large percentage of Indian taxpayer money is being spent to sustain illegal
migrants, especially from Bangladesh.
Aadhaar is used to get other identification documents,
including ration card, bank account, driving licence and passport even to
illegal migrants, thus slowly but surely converting them into Indian Citizens.
The challenge posed by placing all biometric data in a common database is a well-known
hazard. Therefore, Aadhaar poses serious financial, demographic, privacy,
social and security concerns for the present and next few generations of INDIAN
the wrong premise
intends to use biometrics for authentication of an Indian Residents. According
to “UIDAI Strategy Overview” stated philosophy, the authentication is based on
following three methods:
a) What you know: Something the user uniquely knows that is not
public such as password, pass phrase, picture, story, song etc.
b) What you have: Something the user uniquely has such as smart
card, token, mobile phone etc.
c) What you are: Something the user individually is or does
such as Biometrics face, fingerprint, iris pattern, signature, handwriting etc.
these principles are based on the premise which is no more valid. There are two
major problems with “What you are” as a method of authentication.
unlike a password, biometric data is not secret and also not in full control of
the owner of biometrics. Biometric data today are shared not only with Aadhaar
authorities but practically everywhere, including attendance systems and banks.
Even on table and doors accessed by that individual.
2014, a well-known hacker, Starbug who broke open the Apple’s TouchID Sensor
within 24 hours of its release, took some photos of German defence minister
Ursula von der Leyen while she was addressing the event and by the end of the
event, he presented her fingerprint. These fingerprints then can be copied
mechanically or electronically to be fed in another electronic system/
support to non-citizens
9 clarifies that Aadhaar is not the proof of Citizenship or Domicile. This
means that benefits accruing out of Aadhaar will be niraadhaar (without
basis of Citizenship). It is very strongly recommended that a special mark must
be indicative in Aadhaar number itself (like * mark) to show that the person is
NOT a citizen of India. The government has passed repeated orders to identify
Indian Citizens but there appears to be no progress in this regard. In any
case, the requesting entity must know if the person being enquired on is Indian
to section 11(2), the authority will be a body corporate, which means it will
be covered under section 43(A) of the Information Technology Act and rules made
thereunder. It also means that the authority will not have protection provided
to the government in case of any failure. If for any reasons, any core
biometric information is lost, then the authority will be liable for civil
liability of unlimited amount. Unlike the other methods of authentication, biometric
loss is lifelong loss, hence the liabilities of such loss will be far enhanced.
In a case of complete loss, the civil liability may be few lakh crores. Is the
authority or the government ready for such loss?
government be morally right to pay for such loss to the citizens of India from
the money collected through taxes from citizens of India, for its own
incompetence? The Act is silent on this risk assessment.
Biometrics are permanent; unlike a password or a smart card, they cannot be
changed. God forbid, if the complete Aadhaar database is compromised (like that
of Sony) and which must be expected to be so, the biometrics of all citizens
will be compromised. Isn’t it far too big a risk for the government to take?
Access to sensitive areas such as defence installations, which use biometrics
as access control, will automatically become unusable for life of that senior
defence officer. There is no way to correct the situation, unlike password and
challenges in this field will increase manifold as financial transactions based
on biometrics increase. For example, the government had ordered that
App Praman is used for giving life certificate for all pensioners. An
individual can create his artificial fingerprint and give to his own family to
continue to draw full pension even after his death.
in hands of foreigners
14 does not limit the citizenry of chairperson and the members of the
authority, hence it is possible to appoint a chairman who is neither Indian nor
resident of India. It is, therefore, necessary to make appropriate amendments
in section 14 which should state that the chairperson and members should be
‘resident Indian citizens’ only. If we cannot get a reasonably competent person
to be chairperson or member of the authority then it is a matter of shame.
Additionally, if such persons are foreign nationals then ensuring compliance of
Section 16 will be impossible.
Chairperson or a Member
In a case
of any breach of Section 16, related to the cooling off period of three years
for Chairperson and members, there is no provision in the Act for appropriate
punishment. Thus there is no deterrence for non-compliance. The maximum
punishment under general provision at Section 42 provides for just one-year
imprisonment, which is bailable and non-cognizable.
with Software, Hardware and Database Vendors
been repeated questioning of the UPA government in respect of the contract it
has signed with various software and hardware providers and database
maintainers, especially the contractual agreement between the Authority and
MongoDB. Neither the UPA government nor the NDA government issued any
clarification in this regard.
silence is considered as acceptance of this contractual flaw, then section 22B
has extended this contractual liability forever and shared the private
sensitive data of Indian citizens and residents with the US government. The charges
are serious and silence is not an answer.
(C) empowers the Authority to appoint an entity for operation of Central
Identity Database Repository (CIDR). However,
no limitation has been put in this regard that Indians’ core sensitive data
will not be handed over to a foreign entity. There is a precedence of such
misuse, which has serious national security impact.
National Information Exchange of India (NIXI) was created so that the
communication within Armed Forces does not traverse to Internet Exchanges
located in USA and intra-India internet based communications stays within the
territory of India. After severe pressure from National Security Council
Secretariat, NIXI was created by the Government in 2003; but its operations
were handed over to a Uganda-based company. The primary objective to keep such
communication out of reach of foreigners was defeated.
to Risk Transfer
in case of leakage of personal sensitive data of ALL Indian citizens is
enormously high and irreparable. Once biometrics are lost they are lost forever,
no change is possible. Through Section 28 (4)(c), the Act has made a weak
attempt to transfer such risks to the consultants and advisers which is neither
practical nor possible to meet the civil liabilities in case of loss of any
core biometric information. In case the decision to implement any advice is
that of the Authority then the liability also must rest with the Authority.
Only limited liability up to the fee so paid can be charged from Advisers and
consultants. No court will support such open-ended provision.
at Section 13(3) allows the intelligence agencies to dip into the core
biometric information and even extract it for an individual or group. As
explained earlier, creating a duplicate fingerprint or iris scan is not
impossible; hence it is possible that intelligence agencies can be used to
create a fake presence of an individual, politically motivated or otherwise
inconvenient to the government of the day, or senior person in such
Intelligence Agency. The checks and balances are totally opaque, where even the
summary of such access by intelligence agencies are not shared with the public.
the Act is silent on security and privacy of the databases collected by
Intelligence Agencies over a period of time, interacting with CIDR. And with
this single mechanism, Gestapo or Nazi type operations can be easily launched.
Unlike many advanced countries, India does not have an Intelligence Services
Act to fix accountability. Hence this can lead to serious breach to freedom of
citizens. (I have personally suffered such abuse by Intelligence Agencies).
Identity Data Repository (CIDR) will be a valid and lucrative target for cyber
war. Operation PRISM, Vault 7 and many other leakages of information of NSA
(USA) have clearly established that the agenda of United States is to have
cyber supremacy over the world.
“UIDAI Strategy Overview” document elaborates in detail various security
features in Chapter “4.0 - Authentication and e-KYC authentication
services”, where extensive use of RSA and similar algorithms has been
It may be
noted that the RSA designed algorithm has inbuilt security loophole for the US Government
to hack into any system / individual using it. Therefore unless such algorithm,
including its random seed generator are written, vetted and certified in India,
it will be serious cyber war-related security threat.
the capacity to write such codes and vet + Certify them, but it is not clear if
the source code of these algorithms have been written in India and vetted by a
different Indian authority or not. In case these are provisioned directly from
where the software and database have been procured, then it must be assumed
that CIDR stands already compromised, and US government already has Aadhaar
Punishment with Complex Procedures
VII of the Act shows that the Government is NOT serious to punish anyone in
case of any breach. On one hand, the Act agrees that it is collecting personal
sensitive data of all residents of India, but on the other hand, there is no
offence mentioned which has punishment more than three years of imprisonment.
No court is allowed to take cognizance of any offense under this Act without a
written complaint by the Authority or on its behalf, which means it is non-cognizable,
which further means that no police or investigating authority can investigate
any offence of its own.
citizen has any rights to approach and make a complaint for any offense under
this Act, even to any court. No criminal liability can be brought under any
Section of the Act, except by the Aadhaar Authority itself.
is well aware of the case of Edward Snowden stealing this type of information
from the National Security Agency of USA. In case of similar act by any
employee of the authority, the maximum punishment is just ONE year imprisonment
with fine of Rs. 25,000/-.
Government intend that if an employee of CIDR who has authorised access takes
unauthorised copies from CIDR, he is not a serious offender? On similar lines,
if the chairperson and/or members compromise anything related to Aadhaar, no
action can be taken against them unless the same authority complaints against
itself [refer section 47(1)]. Even Government has no power to make complaint
for any such criminal liability.
has cut its own hands; it cannot even issue directions related to technical or
administrative matters (submitting complaint for an offence is an
administrative action and not a policy issue) as the Aadhaar authority becomes
ultimate authority in such matters under proviso of Section 50(1). On one hand,
there is no offense which attracts punishment more than three years, hence no
offence is considered serious enough, on the other hand, such cases must be
tried by no court inferior to that of chief metropolitan magistrate or a chief
judicial magistrate [refer section 47(2)].
have a situation where ONLY on the ‘complaint’ of the Aadhaar Authority a
criminal proceeding can be initiated; Police investigation is NOT necessary; such
offences despite being of low punishment value can be tried ONLY in CMM or
Session Court; but no court can give punishment more than three years of
appears that the present Government has picked up the pathetically drafted
Aadhaar Bill prepared by UPA Government, dusted, rehashed it at a few places
and got it passed through the backdoor as a Finance Bill. The objective to
reach targeted financial help and avoid corruption is noble, but the present
Act and approach of UIDAI is full of loopholes. Most parts of the Act are
correctable. For example: The core biometric must not be used for any
authentication nor shared with anybody, including intelligence agencies, but
can be used in appropriately air-gapped systems for de-duplication of
identities. The present Act in its current form is a threat to national
https://youtu.be/_6JnKT6ybj4 , http://www.instructables.com/id/How-To-Fool-a-Fingerprint-Security-System-As-Easy-/
author is the first National Information Security Coordinator (retd.),
Government of India. The present cyber security structures are from his time,
and since then not a single structure has been added, only improvements have
2008-2013©copyright, All Rights Reserved. Vijayvaani Publishers.
Back to Top