The only upshot of this whole saga seems to be an increased awareness (though a small bit) in general public about importance of privacy in the digital world. Most of the media outlets (both English and regional language newspapers) provided a prominent coverage of this news.
After Snowden, the single illegal U.S. surveillance program he leaked was shut down, the browser vendors essentially forced https everywhere, companies encrypted their WANs, and E2EE became popular in consumer applications. That's just off the top of my head.
tell that to salt typhoon who collected copious amounts of data on all of us.
https still uses unencrypted client hello's (ECH) across the vast majority of the internet, showing which domain the client is visiting in plaintext for multi-site servers to do SNI. DNS is still plaintext on most consumer routers/models provided by ISPs, stingray technology exists in the wild and is widely used to mimic cell towers. E2EE is not popular in consumer applications, even Telegram isn't E2EE and the main ones that claim they are like X's new Chat they have the keys on; Matrix having E2EE still shows meta data in plain text, room names in plain text.
While iMessages, RCS, Signal are mostly mainstream, most people are unaware of the need for E2EE. RCS is its own set of issues.
Pegasus, Cellbright, I can go on and on with the spyware companies that can just send a text message and infect devices with 0click exploits.
We can have E2EE but if they can just see the screen or hook in to the messaging app's memory doesn't mean much.
Pick up your cell phone, is it connected to Wifi? Can it see other Wifis? Apps track those nearby SSIDs and report to major databases to have accurate geo-location data down to the spot we stand.
Don't get me started on Ad-Tech.
The EU wants to install backdoors on everybody's devices and get rid of encryption entirely.
Zero Trust Technologies are a fun thing to read in to, especially the need for them.
> tell that to salt typhoon who collected copious amounts of data on all of us.
That is not a US government program.
You also brought up ECH, DoH, DoT, Android's fake cell tower detection, and Android's NEARBY_WIFI_DEVICES permission that also demonstrate a strong industry-wide push to limit mass surveillance, contributing to my argument that GGP's assertion that nothing has changed is incorrect.
> The EU wants to install backdoors on everybody's devices and get rid of encryption entirely.
No, it doesn't. Just because someone proposes something doesn't mean the EU wants it, especially when the EU completely removes that proposal from the table.
It was Apple's pushback that lead to the DoT backing down [0], but they will most likely either try to push this again if they are able to assuage Apple (eg. drop the $38B anti-trust bill [1]), or will potentially adopt China- and Vietnam-style data sovereignty regulations.
English speaking urban Indians are loud on English media but ultimately don't matter for political decisions because they can't actually flip an LA or LS election. You need to either be a significant voting bloc or a major economic bloc to become a veto player in any country.
If this means what I think it does, it's good news... But unfortunately, I've a nasty feeling that this will be attempted again and again until it sticks.
We shouldn't call it "cyber safety" as that is a loaded phrase here. Obviously other considerations were part of it.
Yeah, I'm with sateesh in a sibling comment in that this is a win for the digital citizenry's awareness, but I also agree with you that when the EU caves in everyone else will follow.
And I'm sure in the end it will cave in. The "they" have a clear plan supported by infinitely more patience and resources than the "us" can muster, and the von der Leyen presidency has shown clear signs of direction towards more control, less privacy (by weakening the GDPR), and less of the good kind of regulation in industry.
As an EU citizen, I'm very unhappy with the Union's recent direction.
But, at least for now, hooray for the temporary victory on the Indian front!
In a country with dozens government supplied IDs, Aadhaar has been a godsend for the common man. It's one card to open a bank account, buy a SIM card, apply for a loan, enter an airport, or whatever.
I held out for many years due to privacy reasons. In the end, I changed my mind - its just immensely useful to the general public.
You just demonstrated first hand the point made by GP. When the supreme court ordered the Govt to cease making Aadhaar mandatory, they just responded by adding so much friction to daily life without Aadhaar that most people, including privacy conscious folks like you just gave in.
The friction already existed long before supreme court orders. No two departments agreed upon what ID they would need for doing the work. It could be rationcard, PAN, passport, driving license etc. Some organizations asked for more than one ID just in case. India just has too many IDs and it is asked for too many use cases.
Aadhar made it easier than before. It is really a quality of life improvement.
The main issue is government requiring IDs even when it is not usually needed in other countries. Mostly in the name of security. This is the root cause. Aadhar is just the symptom.
However Aadhar does enable deeper breaches into privacy due to its unified nature and the way it is validated through government owned infrastructure. There is full tracking possible on all the services that the residents used.
If Aadhar was a self sovereign ID, then having a single ID is definitely a good thing. It keeps privacy intact while usable where needed.
My point wasn't that no id was required before Aadhaar. It's that any id from a range of acceptable ids like passports, ration card, drivers license worked.
Post Aadhaar, even though all of those IDs are still legal and acceptable under law, the govt has added so much friction on the non Aadhaar path that in practice those IDs are unusable.
> It's that any id from a range of acceptable ids like passports, ration card, drivers license worked.
In reality different IDs were accepted at different departments and there was no consensus. It was really a pain. If someone took ration card as valid, others wanted another ID. In some states it was even worse.
It is true that the government has indirectly made Aadhar mandatory, contrary to the spirit of supreme court order.
I may have yielded, but that happened with the acknowledgement that it's not entirely a bad thing. Other IDs have varying levels of validity and authenticity; today I am of the opinion that countries like India shouldn't waste money and time on these. In fact, I'd say ditch the PAN card as well.
If Aadhaar makes it easier for people living near poverty to get say bank accounts, it'd trump the reservations I have. That's what made UPI possible - just about everyone today has UPI, even people begging for money sometimes have a QR code handy (at least here in Bangalore).
> today I am of the opinion that countries like India shouldn't waste money and time on these.
I agree that there are undeniable benefits from Aadhar. However, the issue is that the narrative from the govt has been that it's an either or situation. Either you have the convenience of Aadhaar, or you have privacy. This is unequivocally false. The solution isn't even technical. There are two simple, easily doable fixes which will deliver most of the benefits without significantly eroding privacy.
1. Ensure that legally valid ids other than Aadhaar are not treated as second class by any govt department. If a non Aadhaar id is refused, the reason must be given in writing. The problem is govt babus like the ease of Aadhaar and hence refuse to do the tiny bit of extra work needed on the non Aadhaar path.
2. Amend the Aadhaar act to ban the use of Aadhaar for anything except identity verification. If any personal data linked to Aadhaar is saved by a platform, then they are liable for leak of the data in the event of a breach.
Just doing these will enable the use of Aadhaar for it's original intent which was verifiable identity. The privacy degradation comes from using Aadhaar as a primary key for arbitrary storage of personal data, not from the existence of Aadhaar itself.
These are neither simple, nor easily doable. But the bigger problem is cost (time and money).
My point was that India should switch to a single card/id for everything, and get rid of everything else including the PAN card. Eventually make Aadhaar digital, and chip based so that it can hold your DL as well. It is it bad for privacy, Yes. But what a country should spend on protecting or preserving privacy is a function of where it is on the socioeconomic ladder. If a single ID helps 80% of Indians (a billion people) navigate the labyrinth of our bureaucracy, I'm ok with it, _today_.
Besides, simpler rules go a long way in reducing the power of govt departments (which we can agree on). It reduces cognitive overload for citizens, as well as for govt workers. Factor in where the rest of India stands in terms of education etc, the value of simple rules cannot be overstated.
As someone who values privacy, there are still ways to do it. You just have to invest a lot more energy and time into it though.
What you are proposing is too sweeping, it is not just privacy that suffers. Making a single ID (whose attributes can't be changed) an entire identity of a person is a very risky one. This makes it a single point of failure and in cases like an ID theft, misuse the affected person suffers gravely, and onus will be on them to prove who they are, a Kafkaesque nightmare it would be.
There are several countries which use a single ID for all government interfacing. For that matter, Aadhaar is almost there already. I am not suggesting that private companies should use it, or should be allowed to use it. But a single ID will limit babudom arbitrariness a bit.
> whose attributes can't be changed
Many IDs (outside India) have similar issues, options to change attributes, and various redressal mechanisms.
I don't know of how digital IDs are used etc. in other countries and how ubiquitous there usage is. (One ID I'm aware of is social security numbers (SSN) is U.S, but that is considered as PII data and usually companies take steps to protect/mask them). But citing that this is how it is done elsewhere is just an appeal to tradition/common practice and not necessarily addresses the points I had made.
Hmm, could you previously open a bank account, buy a SIM card, apply for a loan, or enter an airport without any of those cards? If so, I think it's plausible that the government responded by adding friction to daily life in a way that promoted Aadhaar. If not, they didn't.
My point wasn't that no id was required before Aadhaar. It's that any id from a range of acceptable ids like passports, ration card, drivers license worked.
Post Aadhaar, even though all of those IDs are still legal and acceptable under law, the govt has added so much friction on the non Aadhaar path that in practice those IDs are unusable.
India supreme court is bonkers and often known for its BS judgements devoid of logic and law.
Aadhar is "identity", it is not a "card" of any kind though Indians have inherent love for collecting various cards for fun. I have my driving license, PAN, aapar, kisan and state government health insurance cards, labor department id card. I have few more in some drawer.
Once a person gets aadhar, it acts pretty much same as OAuth. You go to a hotel to get a room, Hotel by law is required to verify that your name and face match. You give your aadhar card to them which they scan on their computer and verify that your name matches your face. Because they are a hotel they have right to only verify that.
This is much more privacy preserving than what supreme court did. Because of Supreme Court, hotels no long bother to implement this and instead demand your passport and other identification, scan it and leave it in their system forever. They also are known to sell this data to other from time to time.
The technical idea behind was aadhar was similar to UPI. Government runs the core infra with basic APIs but private companies build apps on top of it. For example, say GPay builds aadhar interface where when you walk into a hotel to reserve a room, Gpay automatically generates a new aadhar number with permissions only to show your name, photo and age. Hotel system verifies that and stores a receipt. If in future government is investigating who stayed in which room, law enforcement can convert these receipts to identification.
This was a better model which would have unlocked a lot of potential. The government failed to argue the case correctly and supreme court acted more like an activist court.
I do think both Government and Supreme Court failed to show the correct user journey here.
I’d love to see a citation for a Hotel being legally allowed access to the Aadhaar KUA system, even before the Supreme Court judgement. No hotel in India does this, because Aadhaar as implemented is a “honor based system” for the majority of usecases where a photocopy of a Aadhaar (with or without QR) is assumed to be valid.
In comparison, a Voter ID and PAN are both hologram protected and forgeries are easily detected.
W3C verifiable credentials do not require a singular identity source, they work perfectly fine with multiple issuers.
Not op,I agree that hotels doesn't do any face matching.
However for getting a new mobile connection the flow is similar to what op has mentioned. It seems one can get a mobile connection by not opting for face recognition, but the process is cumbersome. Similarly for property registrations fingerprints (atleast in some of the states) of the concerned parties is matched against the ones that are associated with their Aadhar.
Yes, because Telcos are designated as AUAs, and expected to do a full KYC under DoT regulations. Hotels are not.
I have two SIMs, and I surprisingly got the newer of them in 20 minutes at a remote village in India without an Aadhaar. Telcos do a Liveness check with their phone instead these days.
> and instead demand your passport and other identification, scan it and leave it in their system forever. They also are known to sell this data to other from time to time.
Isn't this the problem vs the Supreme court judgement? Why does the hotel need to save this data forever?
A simple fix will be to make companies liable for leaks of personal data. That alone will incentivize then to delete personal data as fast as humanly possible.
Congratulations! Your data is already sold out for Rs. 40 in black market! Also, why do you need aadhar to enter airport?
Now, the morons in charge are making it mandatory to book a gas cylinder as well. It’s like once a blind suddenly starts seeing, he wants to capture everything.
Indians have this crazy love for idiotic paperwork and nitpicking around paperwork, coupled with mostly low IQ and less educated clerks everywhere it becomes worse. I once submited my PAN and Passport to the bank who refused it claiming the spellings of both names do not match as my middle name was shortened on PAN card. I showed them that my photo is present on both and both cards belong to the same person. But nopes.
A friend then showed me that he downloaded aadhar PSD online, put a random invalid number, his photo and a non-existent address on the bank and used it everywhere where people were asking for aadhar without any need. Building and Airport security, Hotel reservation staff, Bus tickets and so on and used real aadhar only for banking and sim cards. He said this simplifies life a lot.
This is the ultimate facade of Digital Identity that UIDAI lets happen while sitting idly by. They put a circular against “Aadhaar photocopies not being valid” only to rescind it the next day because everyone made fun of them.
The truth, as you point out, is that Aadhaar in reality is a an “honour based system”, where UIDAI pretends everything is valid and authenticated as long as it gets used everywhere.
In India you have to cheat just to get things done at all due to how nonsensically strict things are, which leads to increased scrutiny due to cheating, which leads to more need for non-cheaters to cheat just to get things done, which leads to increased scrutiny due to cheating…
As for the low IQ thing no one wants to acknowledge it but check the charts and see that it’s true. Centuries of caste based inbreeding and colonial clerk education will do that to a population. The added toxins in the turmeric will finish the job.
I think this point is bit orthogonal. The current outrage was largely because the app has to be pre-loaded and there wasn't an option to disable or uninstall it.
In the later incarnations, if this is an app which you need to access government services that is less of an issue, though I'm not advocating that this is completely fine. There are already apps like these CoWin (during Covid time), or Digiyatra (despite some of the privacy concerns around it [1]) which many are using. I hope if at all this app gets introduced (in the form you mention) there are larger discussions about permissions and the data access the app would need,and it can be disabled, uninstalled.
Appetite for `Make in India` and favor for homegrown solutions. Indian gov/companies is more capable of delivering a solution better suited for the many local languages. Instead of mandating, they should just try to put some more minds together and make a general purpose India super app to help citizens access gov services that isn't PayTM.
Do people have rights around the world, to not use a smartphone or the internet to access critical services/commerce? Shouldn't that be a thing if not?
Travel counts, sure. Food, travel, accommodations/rent/housing. Freedom to eat, to have shelter, to move about, start a business or trade with other people. New technology should not result in a reduction of freedoms, or even privileges.
This was never going anywhere and if the Indian government thought it could get away with effectively installing spyware, then they were just self indulgent.
Bugging communication devices has long been a government / law enforcement tactic, mostly enabled by telcos via ITU, which since its inception has been a willing collaborator.
BBC news about India has been so negative in the past few years, I have stopped trusting them. Of course there are other news about them spoofing videos.
Apple has been a massive driver for India's electronics manufacturing boom, because it's Apple that has been strongarming it's suppliers like Foxconn and Envision to start manufacturing (not just assembling) in India - just like how Apple helped turbocharge China's electronics upskilling in the late 2000s and early 2010s which helped Apple vendors like BYD and BOE become global competitors in the 2020s.
Tata Group has also become an Apple vendor now as well for both assembly as well as chip packaging, so they probably helped arbitrate.
Apple and India are also negotiating over a potential $38B anti-trust bill [0] which is a significantly higher priority for both parties.
Looks like the complaining and protesting on Twitter helped, even if was serious, and some just memes. Somethings to note-
1. Most Indian bureaucracy is clueless about tech things, and just goes by whatever somebody who sounds like techy enough is selling them. Which in this case I'm guessing is a data mining company/lobby.
2. The information derived can be used for various purposes. Plotting election trends, economics, spotting general trends pro/against politics and other nefarious causes. etc.
3. Spying.
4. Using information to go after political opponents.
5. Demographic targeting, which in Indian context almost always means a pogrom against groups, which other groups don't like.
6. Selling data to commercial entities for better targeting, or even social engineering buying choices etc.
There could be many others. But its kind of nice that it was taken back. Having said this, it will be pushed again at some point when people are busy with a crisis and this will be sold as a fix.
The only upshot of this whole saga seems to be an increased awareness (though a small bit) in general public about importance of privacy in the digital world. Most of the media outlets (both English and regional language newspapers) provided a prominent coverage of this news.
Will the increased awareness change anything though? After Snowden, nothing seemed to have changed, it just seems to be getting worse.
Most likely, Indian government will try again
Come to the dark side, we got no cookies but gophers here.
After Snowden, the single illegal U.S. surveillance program he leaked was shut down, the browser vendors essentially forced https everywhere, companies encrypted their WANs, and E2EE became popular in consumer applications. That's just off the top of my head.
tell that to salt typhoon who collected copious amounts of data on all of us.
https still uses unencrypted client hello's (ECH) across the vast majority of the internet, showing which domain the client is visiting in plaintext for multi-site servers to do SNI. DNS is still plaintext on most consumer routers/models provided by ISPs, stingray technology exists in the wild and is widely used to mimic cell towers. E2EE is not popular in consumer applications, even Telegram isn't E2EE and the main ones that claim they are like X's new Chat they have the keys on; Matrix having E2EE still shows meta data in plain text, room names in plain text.
While iMessages, RCS, Signal are mostly mainstream, most people are unaware of the need for E2EE. RCS is its own set of issues.
Pegasus, Cellbright, I can go on and on with the spyware companies that can just send a text message and infect devices with 0click exploits.
We can have E2EE but if they can just see the screen or hook in to the messaging app's memory doesn't mean much.
Pick up your cell phone, is it connected to Wifi? Can it see other Wifis? Apps track those nearby SSIDs and report to major databases to have accurate geo-location data down to the spot we stand.
Don't get me started on Ad-Tech.
The EU wants to install backdoors on everybody's devices and get rid of encryption entirely.
Zero Trust Technologies are a fun thing to read in to, especially the need for them.
> tell that to salt typhoon who collected copious amounts of data on all of us.
That is not a US government program.
You also brought up ECH, DoH, DoT, Android's fake cell tower detection, and Android's NEARBY_WIFI_DEVICES permission that also demonstrate a strong industry-wide push to limit mass surveillance, contributing to my argument that GGP's assertion that nothing has changed is incorrect.
> The EU wants to install backdoors on everybody's devices and get rid of encryption entirely.
No, it doesn't. Just because someone proposes something doesn't mean the EU wants it, especially when the EU completely removes that proposal from the table.
India is the biggest market for WhatsApp, not sure about FB. I doubt general population cares about privacy or even understands what it means.
It was Apple's pushback that lead to the DoT backing down [0], but they will most likely either try to push this again if they are able to assuage Apple (eg. drop the $38B anti-trust bill [1]), or will potentially adopt China- and Vietnam-style data sovereignty regulations.
English speaking urban Indians are loud on English media but ultimately don't matter for political decisions because they can't actually flip an LA or LS election. You need to either be a significant voting bloc or a major economic bloc to become a veto player in any country.
[0] - https://www.reuters.com/sustainability/boards-policy-regulat...
[1] - https://www.reuters.com/sustainability/boards-policy-regulat...
If this means what I think it does, it's good news... But unfortunately, I've a nasty feeling that this will be attempted again and again until it sticks.
We shouldn't call it "cyber safety" as that is a loaded phrase here. Obviously other considerations were part of it.
They'll wait for UK/AU/EU to enforce one first.
Like with the chat control in the EU now, the foot is already blocking the door
Yeah, I'm with sateesh in a sibling comment in that this is a win for the digital citizenry's awareness, but I also agree with you that when the EU caves in everyone else will follow.
And I'm sure in the end it will cave in. The "they" have a clear plan supported by infinitely more patience and resources than the "us" can muster, and the von der Leyen presidency has shown clear signs of direction towards more control, less privacy (by weakening the GDPR), and less of the good kind of regulation in industry.
As an EU citizen, I'm very unhappy with the Union's recent direction.
But, at least for now, hooray for the temporary victory on the Indian front!
They ll make it mandatory to access critical services at a later point. Tax payments, utility enrollments stuff like that.
That is how they ramped up enrollment in Aadhaar UID.
In a country with dozens government supplied IDs, Aadhaar has been a godsend for the common man. It's one card to open a bank account, buy a SIM card, apply for a loan, enter an airport, or whatever.
I held out for many years due to privacy reasons. In the end, I changed my mind - its just immensely useful to the general public.
You just demonstrated first hand the point made by GP. When the supreme court ordered the Govt to cease making Aadhaar mandatory, they just responded by adding so much friction to daily life without Aadhaar that most people, including privacy conscious folks like you just gave in.
The friction already existed long before supreme court orders. No two departments agreed upon what ID they would need for doing the work. It could be rationcard, PAN, passport, driving license etc. Some organizations asked for more than one ID just in case. India just has too many IDs and it is asked for too many use cases.
Aadhar made it easier than before. It is really a quality of life improvement.
The main issue is government requiring IDs even when it is not usually needed in other countries. Mostly in the name of security. This is the root cause. Aadhar is just the symptom.
However Aadhar does enable deeper breaches into privacy due to its unified nature and the way it is validated through government owned infrastructure. There is full tracking possible on all the services that the residents used.
If Aadhar was a self sovereign ID, then having a single ID is definitely a good thing. It keeps privacy intact while usable where needed.
My point wasn't that no id was required before Aadhaar. It's that any id from a range of acceptable ids like passports, ration card, drivers license worked.
Post Aadhaar, even though all of those IDs are still legal and acceptable under law, the govt has added so much friction on the non Aadhaar path that in practice those IDs are unusable.
> It's that any id from a range of acceptable ids like passports, ration card, drivers license worked.
In reality different IDs were accepted at different departments and there was no consensus. It was really a pain. If someone took ration card as valid, others wanted another ID. In some states it was even worse.
It is true that the government has indirectly made Aadhar mandatory, contrary to the spirit of supreme court order.
I may have yielded, but that happened with the acknowledgement that it's not entirely a bad thing. Other IDs have varying levels of validity and authenticity; today I am of the opinion that countries like India shouldn't waste money and time on these. In fact, I'd say ditch the PAN card as well.
If Aadhaar makes it easier for people living near poverty to get say bank accounts, it'd trump the reservations I have. That's what made UPI possible - just about everyone today has UPI, even people begging for money sometimes have a QR code handy (at least here in Bangalore).
> today I am of the opinion that countries like India shouldn't waste money and time on these.
I agree that there are undeniable benefits from Aadhar. However, the issue is that the narrative from the govt has been that it's an either or situation. Either you have the convenience of Aadhaar, or you have privacy. This is unequivocally false. The solution isn't even technical. There are two simple, easily doable fixes which will deliver most of the benefits without significantly eroding privacy.
1. Ensure that legally valid ids other than Aadhaar are not treated as second class by any govt department. If a non Aadhaar id is refused, the reason must be given in writing. The problem is govt babus like the ease of Aadhaar and hence refuse to do the tiny bit of extra work needed on the non Aadhaar path.
2. Amend the Aadhaar act to ban the use of Aadhaar for anything except identity verification. If any personal data linked to Aadhaar is saved by a platform, then they are liable for leak of the data in the event of a breach.
Just doing these will enable the use of Aadhaar for it's original intent which was verifiable identity. The privacy degradation comes from using Aadhaar as a primary key for arbitrary storage of personal data, not from the existence of Aadhaar itself.
These are neither simple, nor easily doable. But the bigger problem is cost (time and money).
My point was that India should switch to a single card/id for everything, and get rid of everything else including the PAN card. Eventually make Aadhaar digital, and chip based so that it can hold your DL as well. It is it bad for privacy, Yes. But what a country should spend on protecting or preserving privacy is a function of where it is on the socioeconomic ladder. If a single ID helps 80% of Indians (a billion people) navigate the labyrinth of our bureaucracy, I'm ok with it, _today_.
Besides, simpler rules go a long way in reducing the power of govt departments (which we can agree on). It reduces cognitive overload for citizens, as well as for govt workers. Factor in where the rest of India stands in terms of education etc, the value of simple rules cannot be overstated.
As someone who values privacy, there are still ways to do it. You just have to invest a lot more energy and time into it though.
What you are proposing is too sweeping, it is not just privacy that suffers. Making a single ID (whose attributes can't be changed) an entire identity of a person is a very risky one. This makes it a single point of failure and in cases like an ID theft, misuse the affected person suffers gravely, and onus will be on them to prove who they are, a Kafkaesque nightmare it would be.
There are several countries which use a single ID for all government interfacing. For that matter, Aadhaar is almost there already. I am not suggesting that private companies should use it, or should be allowed to use it. But a single ID will limit babudom arbitrariness a bit.
> whose attributes can't be changed
Many IDs (outside India) have similar issues, options to change attributes, and various redressal mechanisms.
> a single ID will limit babudom arbitrariness a bit
It does not in practice, because Aadhaar data is a unverified source of big messes. As several examples:
- UP Gov does not believe Aadhaar to be a proof of date of birth https://www.newsonair.gov.in/up-government-clarifies-that-aa...
- UIDAI has stated that it is not a proof of citizenship, DoB, or address: https://timesofindia.indiatimes.com/city/lucknow/aadhaar-not...
- EPFO no longer accepts it https://www.thehindu.com/news/national/government-makes-citi...
I don't know of how digital IDs are used etc. in other countries and how ubiquitous there usage is. (One ID I'm aware of is social security numbers (SSN) is U.S, but that is considered as PII data and usually companies take steps to protect/mask them). But citing that this is how it is done elsewhere is just an appeal to tradition/common practice and not necessarily addresses the points I had made.
Hmm, could you previously open a bank account, buy a SIM card, apply for a loan, or enter an airport without any of those cards? If so, I think it's plausible that the government responded by adding friction to daily life in a way that promoted Aadhaar. If not, they didn't.
My point wasn't that no id was required before Aadhaar. It's that any id from a range of acceptable ids like passports, ration card, drivers license worked.
Post Aadhaar, even though all of those IDs are still legal and acceptable under law, the govt has added so much friction on the non Aadhaar path that in practice those IDs are unusable.
Oh, I see. I misunderstood you. Thank you for explaining.
India supreme court is bonkers and often known for its BS judgements devoid of logic and law.
Aadhar is "identity", it is not a "card" of any kind though Indians have inherent love for collecting various cards for fun. I have my driving license, PAN, aapar, kisan and state government health insurance cards, labor department id card. I have few more in some drawer.
Once a person gets aadhar, it acts pretty much same as OAuth. You go to a hotel to get a room, Hotel by law is required to verify that your name and face match. You give your aadhar card to them which they scan on their computer and verify that your name matches your face. Because they are a hotel they have right to only verify that.
This is much more privacy preserving than what supreme court did. Because of Supreme Court, hotels no long bother to implement this and instead demand your passport and other identification, scan it and leave it in their system forever. They also are known to sell this data to other from time to time.
The technical idea behind was aadhar was similar to UPI. Government runs the core infra with basic APIs but private companies build apps on top of it. For example, say GPay builds aadhar interface where when you walk into a hotel to reserve a room, Gpay automatically generates a new aadhar number with permissions only to show your name, photo and age. Hotel system verifies that and stores a receipt. If in future government is investigating who stayed in which room, law enforcement can convert these receipts to identification.
This was a better model which would have unlocked a lot of potential. The government failed to argue the case correctly and supreme court acted more like an activist court.
I do think both Government and Supreme Court failed to show the correct user journey here.
I’d love to see a citation for a Hotel being legally allowed access to the Aadhaar KUA system, even before the Supreme Court judgement. No hotel in India does this, because Aadhaar as implemented is a “honor based system” for the majority of usecases where a photocopy of a Aadhaar (with or without QR) is assumed to be valid.
In comparison, a Voter ID and PAN are both hologram protected and forgeries are easily detected.
W3C verifiable credentials do not require a singular identity source, they work perfectly fine with multiple issuers.
Not op,I agree that hotels doesn't do any face matching.
However for getting a new mobile connection the flow is similar to what op has mentioned. It seems one can get a mobile connection by not opting for face recognition, but the process is cumbersome. Similarly for property registrations fingerprints (atleast in some of the states) of the concerned parties is matched against the ones that are associated with their Aadhar.
Yes, because Telcos are designated as AUAs, and expected to do a full KYC under DoT regulations. Hotels are not.
I have two SIMs, and I surprisingly got the newer of them in 20 minutes at a remote village in India without an Aadhaar. Telcos do a Liveness check with their phone instead these days.
> and instead demand your passport and other identification, scan it and leave it in their system forever. They also are known to sell this data to other from time to time.
Isn't this the problem vs the Supreme court judgement? Why does the hotel need to save this data forever?
A simple fix will be to make companies liable for leaks of personal data. That alone will incentivize then to delete personal data as fast as humanly possible.
Congratulations! Your data is already sold out for Rs. 40 in black market! Also, why do you need aadhar to enter airport?
Now, the morons in charge are making it mandatory to book a gas cylinder as well. It’s like once a blind suddenly starts seeing, he wants to capture everything.
There is no concept of privacy in India. Your health and banking data is available to literally anyone interested. aadhar is not relevant to that.
Your data will be sold regardless of whether you have Aadhar or not. You just may not know it.
Indians have this crazy love for idiotic paperwork and nitpicking around paperwork, coupled with mostly low IQ and less educated clerks everywhere it becomes worse. I once submited my PAN and Passport to the bank who refused it claiming the spellings of both names do not match as my middle name was shortened on PAN card. I showed them that my photo is present on both and both cards belong to the same person. But nopes.
A friend then showed me that he downloaded aadhar PSD online, put a random invalid number, his photo and a non-existent address on the bank and used it everywhere where people were asking for aadhar without any need. Building and Airport security, Hotel reservation staff, Bus tickets and so on and used real aadhar only for banking and sim cards. He said this simplifies life a lot.
This is the ultimate facade of Digital Identity that UIDAI lets happen while sitting idly by. They put a circular against “Aadhaar photocopies not being valid” only to rescind it the next day because everyone made fun of them.
The truth, as you point out, is that Aadhaar in reality is a an “honour based system”, where UIDAI pretends everything is valid and authenticated as long as it gets used everywhere.
In India you have to cheat just to get things done at all due to how nonsensically strict things are, which leads to increased scrutiny due to cheating, which leads to more need for non-cheaters to cheat just to get things done, which leads to increased scrutiny due to cheating…
As for the low IQ thing no one wants to acknowledge it but check the charts and see that it’s true. Centuries of caste based inbreeding and colonial clerk education will do that to a population. The added toxins in the turmeric will finish the job.
I think this point is bit orthogonal. The current outrage was largely because the app has to be pre-loaded and there wasn't an option to disable or uninstall it.
In the later incarnations, if this is an app which you need to access government services that is less of an issue, though I'm not advocating that this is completely fine. There are already apps like these CoWin (during Covid time), or Digiyatra (despite some of the privacy concerns around it [1]) which many are using. I hope if at all this app gets introduced (in the form you mention) there are larger discussions about permissions and the data access the app would need,and it can be disabled, uninstalled.
1. https://internetfreedom.in/digiyatra-who-owns-your-data/
Agreed on all points.
I don't view these apps as net negative for a country like India which is helped immensely by digitization.
My comment was just pointing out that governments have a way to get you install the app if they really need to.
Exactly! Politics as usual in India.
The app itself seems to be a reinvention of https://www.gsma.com/solutions-and-impact/connectivity-for-g... which is good I suppose, but why not use the original registry?
Appetite for `Make in India` and favor for homegrown solutions. Indian gov/companies is more capable of delivering a solution better suited for the many local languages. Instead of mandating, they should just try to put some more minds together and make a general purpose India super app to help citizens access gov services that isn't PayTM.
Do people have rights around the world, to not use a smartphone or the internet to access critical services/commerce? Shouldn't that be a thing if not?
Canadian government must provide services for blind and deaf people via Teletype or something, so at least state services are covered.
The question is what makes service critical. Is Expedia or Uber critical?
Travel counts, sure. Food, travel, accommodations/rent/housing. Freedom to eat, to have shelter, to move about, start a business or trade with other people. New technology should not result in a reduction of freedoms, or even privileges.
This was never going anywhere and if the Indian government thought it could get away with effectively installing spyware, then they were just self indulgent.
this glosses over the point that they could have just accomplished that with already effectively required UPI apps
Bugging communication devices has long been a government / law enforcement tactic, mostly enabled by telcos via ITU, which since its inception has been a willing collaborator.
Ex A: Ind x ITU, https://cis-india.org/internet-governance/blog/india-itu-res...
Ex B: China x ITU, https://datatracker.ietf.org/liaison/1677/
It has been, but getting Apple to do it was dumb. They could've just used a government app that everyone has to use, and put the bugging in there.
previously: https://news.ycombinator.com/item?id=46104193
BBC news about India has been so negative in the past few years, I have stopped trusting them. Of course there are other news about them spoofing videos.
I've not been following this closely, but reading the headlines each day....is the timeline roughly -
India: Every phone must install a cyber safety app
Apple: No
India: OK, nevermind
?
Pretty much.
Apple has been a massive driver for India's electronics manufacturing boom, because it's Apple that has been strongarming it's suppliers like Foxconn and Envision to start manufacturing (not just assembling) in India - just like how Apple helped turbocharge China's electronics upskilling in the late 2000s and early 2010s which helped Apple vendors like BYD and BOE become global competitors in the 2020s.
Tata Group has also become an Apple vendor now as well for both assembly as well as chip packaging, so they probably helped arbitrate.
Apple and India are also negotiating over a potential $38B anti-trust bill [0] which is a significantly higher priority for both parties.
[0] - https://www.reuters.com/sustainability/boards-policy-regulat...
Looks like the complaining and protesting on Twitter helped, even if was serious, and some just memes. Somethings to note-
1. Most Indian bureaucracy is clueless about tech things, and just goes by whatever somebody who sounds like techy enough is selling them. Which in this case I'm guessing is a data mining company/lobby.
2. The information derived can be used for various purposes. Plotting election trends, economics, spotting general trends pro/against politics and other nefarious causes. etc.
3. Spying.
4. Using information to go after political opponents.
5. Demographic targeting, which in Indian context almost always means a pogrom against groups, which other groups don't like.
6. Selling data to commercial entities for better targeting, or even social engineering buying choices etc.
There could be many others. But its kind of nice that it was taken back. Having said this, it will be pushed again at some point when people are busy with a crisis and this will be sold as a fix.
I believe Apple's resistance to this notion played a role.
This is the standard playbook. And the gov just pulled a switcheroo:
Policy that is hard to pass: SIM binding for all messenger apps and automatic log out every 6 hours for desktop apps.
Even more egregious policy: Pre-install spyware that cannot be disabled.
Withdraw the egregious policy on outrage, and people think they have won the battle.
Gov release: https://www.pib.gov.in/PressReleasePage.aspx?PRID=2198110&re... (https://news.ycombinator.com/item?id=46132822)
https://www.pib.gov.in/PressReleasePage.aspx?PRID=2198110&re...
Read between the lines?
> Given Sanchar Saathi’s increasing acceptance, Government has decided not to make the pre- installation mandatory for mobile manufacturers.
outrage works
Outrage works when the party in government doesn't have an outright majority in parliament.