It Looks Like The Creator Of India's Invasive National ID Accidentally Tweeted His Personal Info

Citizens, residents, and visiting workers in India are required to submit all ten of their fingerprints and an iris scan to participate in the country's controversial unique identifying number program. The man behind that program, Nandan Nilekani, for some reason tweeted a photo of his ID card with the numbers blacked out, but he didn't redact the QR code.

Nilekani spearheaded the program known as Aadhaar when he served as the head of the Unique Identification Authority of India (UIDAI) from 2009 to 2014. As of April of last year, 1.14 billion people, or around 87 per cent of India's population, had been issued a number. In addition to biometric data, India's unprecedented database contains demographic information, home addresses, and much more. In 2016, World Bank Chief Economist Paul Romer called Aadhaar "the most sophisticated ID programme in the world." Having an Aadhaar number is required to participate in any of India's numerous social safety net programs, as well as to receive employee compensation, file your taxes, set up a bank account, get insurance, purchase a home - the list goes on and on. You have to have an Aadhaar number.

Nandan Nilekani has defended the program against security experts and privacy advocates from the beginning of its rollout, and in what must have been a moment of hubris, he tweeted a photo of his own Aadhaar ID on April 12, 2014, with the first eight digits of the 12-digit identification number obscured. But he bafflingly elected not to obscure the QR code on the right-hand side of the card. Scanning that code gives anyone access to his number and demographic information. And despite being told by others to delete the tweet, Nilekani reportedly waited until September of 2016 to remove it. Buzzfeed News reports:

And as with just about anything that's publicly tweeted, Nilekani's private information remains online. Members of an internet forum popular with computer programmers scanned his QR code and posted his demographic details and Aadhaar number, and this data eventually ended up on at least half a dozen other webpages that BuzzFeed News reviewed. Images of Nilekani's tweet with his Aadhaar card exist on at least one popular website...

"I guess Nandan didn't realise what he had done at first," said Prasanto K Roy, a former technology journalist who was one of the people who alerted Nilekani. "And I don't think he paid much attention to it even when it was flagged, probably thinking that it wasn't a big deal since, as a well-known person and the head of the Aadhaar program, most of his demographic details were publicly available anyway. I think he must have realised the seriousness of it later - that his tweet might suggest to others that it was OK to post a picture of your Aadhaar card simply by redacting the Aadhaar number itself."

September of 2016 is actually when it became illegal to publish Aadhaar numbers in public. So, it's more likely that Nilekani was just complying with the new law.

It would be difficult, though not impossible, to impersonate someone with their Aadhaar number. There are three verification options to match with the number: a fingerprint or iris, a code sent to a linked cell phone, or a linked piece of demographic information such as a birthday. And of course, hackers can do a lot with just a few bits of info about a person. Nilekani may feel that he's invulnerable to someone using his data to commit fraud, but less powerful residents have more to worry about.

Despite authorities continued insistence that people have nothing to worry about, recently we've seen reported breaches that exposed 130 million people. In one instance, access to India's full database was sold for just $US8 ($10). In November, more than 200 government websites accidentally exposed the personal information of an undisclosed number of Aadhaar users.

Even beyond the security risks, the system seems to be a bureaucratic disaster. The EFF has detailed the absurd and confusing legal limbo that has plagued the program. In August, India's Supreme Court issued a long-delayed ruling that confirmed citizens' right to privacy and appeared to strike down the government's ability to make Aadhaar compulsory. But observers fear that the system is already too ingrained in society for that ruling to have much of an effect on business owners and other institutions still demanding the identification. All the while, implementation of the program is filled with screw-ups like the case of 65-year-old Sajidha Begum, a woman with leprosy who was denied her pension because she didn't have an Aadhaar number due to her lack of fingers.

Though he's no longer part of the UIDAI, Nilekani continues to defend the program he started. On Wednesday, he told reporters in India that there was "an orchestrated campaign to" malign Aadhaar in public. For critics, the system's vulnerabilities speak for themselves.

[Buzzfeed]

WATCH MORE: Tech News


Comments

    The aadhaar number is meant to be public property i.e. to enable commerce amongst all subscribers of the uidai, including the aadhaar number holders, autheticators, user agents, etc.

    The consumerisation of biometrics was expected to play a large role in the commercialisation of the aadhaar project. This included the so-argued prevention of corruptive processes at the government's welfare programs, where the govt is just another commercial user of the system.

    The aadhaar project and its dreamers thought along the same lines as the creators of every other social network, eg, facebook, twitter, linkedin, and the several other such networks plying on the public internet.

    In 2014 with the project verily in the doldrums owing to high costs and scarcely accounted benefits accruing to any subset of commercial subscribers it was a foregone conclusion that the project would be given a quiet burial by the newly elected Parliament.

    A 30-minutes meeting between the new Prime minister of the Union government and the departing chairman of the uidai, which history might record as the cause for the rout faced by the Prime minister and his government in the subsequent General Election of 2019, saw the new Prime minister swaying to the tunes of digital and infotech and other such lullobbies. And so it came to be that Indians became fodder for digital, of digital and by digital.

    The new government, elected warmly by no less than 1 in every 5 Indians, and sworn to unearth every shade of black money in all 5 Indians, began mandating all Indians, even if they be in the smaller set of 4 of every 5 Indians that wanted no truck with it, to go for digital; and the uidai would be at hand for the mission. This would make India a global power by 2047 and all.

    It probably helped the scheme of things that the departing chairman of the uidai had contested in the General Elections in his storied city of Bangalore the digital capital of India and had received an unimaginably boring drubbing.

    Yeah, it was orchestrated alright. The aadhaar was to be the government's gift to the digital Indians, all 5 of them. Hence we have a paytm (some play on pay and atm that requires precious education to comprehend), a bhim (a mace) and 20 petitions in the Supreme Court to eradicate the uidai.

Join the discussion!