Is all tracking the same?

Nope. You are being misled by propaganda

(Mobile, Facebook, Google, Twitter - any one or all of them - shortened to MFGT for this article)

Difference between tracking by Mobile FB Google or Twitter and Aadhaar
Difference between tracking by Mobile FB Google or Twitter and Aadhaar

FORMED IN COMPLIANCE with law

Independent entities accountable to state

Private bodies with no authority on citizens

no matter how large or ubiquitous, are still private corporations, operating under specific laws, including laws governing privacy and data protection. They do not have the power, for instance, to cause a “civil death” – a state wherein an individual loses all Constitutional rights and entitlements.
Competitive alternatives possible

Tracking capability limited to service

The ability of MFGT to track users is limited by the level of use and the permissions configured by the users – which can be modified at any time. Further, only authorized people within the organizations have access to this information, and are contractually bound not to divulge this information.   Facebook may republish a user’s tweets (messages from Twitter) if a user opts to link the two services, but they cannot get the user’s data beyond the chosen level of access. The information one service has about a user is never made entirely available when authenticating another service.

Most applications today allow turning off location tracking, or enabling a “do not track” feature. While mobile service providers can still triangulate locations based on answering towers, a person who does not wish to be tracked – by each and every one of these services – has the option of making that choice.

Whether it is by not creating accounts with the companies or by changing the operating system of a phone to a custom build that prevents surveillance – or, quite simply, by switching off the mobile phone (or leaving it home).

There is no legal consequence to being unable to use social media or phone

Choice

People can log out of accounts while accessing specific services, create multiple accounts or delete their accounts as well as all associated data without any impact on the quality of their life. People will not go hungry if they do not possess a Facebook account.

FORMATION OF UIDAI HAD NO BASIS IN LAW​

Backed by state and accountable to none​

Government body with state backed imposition

Through its very design and subsequent function creep, Aadhaar has created a situation wherein people have actually lost their lives for want of an Aadhaar – through losing their right to food or right to livelihood.

Competitive alternatives eradicated

Tracking across various government as well as privates services possible with arbitrary expansion

Aadhaar by design enables a hydra-like level of tracking. There is no telling how many organizations – not just government departments – will end up with access. SRDHs is an example of how state governments have pooled data from various agencies to create a 360 degree profile of Aadhaar holders.

Arbitrary interpretations of data sharing have made a mockery of the token safeguards against data sharing in the Aadhaar Act.

There is no way to “turn off” one’s Aadhaar, or opt out of the scheme, without giving up essential services which require Aadhaar-based authentication. Even where this is not the case, inorganic seeding (e.g., by entering the Aadhaar number on the service provider’s forms) may still end up linking services with the Aadhaar number of holders. To quote Prof. G.Nagarjuna, “every linkage is a leakage”. 

Inability to pay tax will make non-Aadhaar holders eligible to pay tax criminals

Imposition

There is no way of opting out from the Aadhaar scheme. Once the Aadhaar number is linked to a service, there is no way to disconnect, log out, change the number or delete it.

People have the power to challenge actions of private companies in courts of law

The actions - and omissions - of private companies can be challenged in courts of law, and they can be investigated through Constitutionally-mandated law enforcement mechanisms.

No power to deny anything beyond own service

Private companies are not backed by any government punishing citizens for lack of adoption. MFGT have no power to deny anyone anything beyond the use of their own services.

Mobile companies or social media companies have no power to deny rights to children.

Cannot prevent medical assistance in health emergencies

Authentication is not possible without the user’s participation. Most authentications offer a varying range of access – from simply authenticating that the user is indeed the profile they claim to be, to access to reading their public messages, private messages or posting messages on their behalf. Still, no service will allow third party authentication to access core profile data and services – privacy settings, downloads of archives, authorizing access to others.
MFGT – and indeed all responsible internet companies that allow third party authentication – provide dashboards through which prior authentications can be reviewed and disabled if no longer necessary.

High priority on data protection

Technologically competent

Users of the service can have a consistent experience and failures are rare and followed by prompt action and clarifications to media from the company to users who were inconvenienced

Only UIDAI can take legal action for issues related to Aadhaar

Aadhaar holders are denied the right to challenge even harm to themselves caused by an Aadhaar number-related crime or malpractice - even filing an FIR requires the approval of a UIDAI officer. This violates an individual’s fundamental right to justice. Whether the UIDAI itself, or its officers, can be investigated is a question whose answer is not forthcoming.

Prevents access to other essential services

Between 8%-20% of various government entitlements have been denied to citizens for lack of Aadhaar linking. (Sample sizes may vary from classrooms to entire states)
Children have been denied admissions, scholarships, even birth certificates for lack of Aadhaar

People have been refused hospitalization for lack of Aadhaar

Demographic authentication using Aadhaar can be done on the basis of a photocopy of any Aadhaar found in a random paper heap without the knowledge of the Aadhaar holder. Indeed, this is how inorganic seeding officially takes place. There is no way for the Aadhaar holder to control how much information of themselves is provided to third parties and no way to prevent it.
There is no easy way to know which services have been authenticated by one’s Aadhaar number. Even the authentication history logs do not provide information on authenticating services. There is no question of revoking anything. If you purchase a SIM with an Aadhaar and stop using it and it gets deactivated and reissued to someone else, it may still be linked with your Aadhaar.

High priority on cover ups

Technologically incompetent

Failures are frequent and unexplained, leaving users floundering to understand what happened or how to resolve it. There is no point to report failures, no immediate redressals and no explanations for outages causing widespread inconvenience or deprivation of necessities.

If facebook failed as often as aadhaar, you'd STOP using it

Robust support services with tickets following each issue reported, extensive help and troubleshooting information and multiple and highly accessible ways of seeking assistance.

None of the services offered by these companies can share a user’s data without explicit consent. The user also has the choice of limiting or anonymizing the data shared across platforms by these services or collected for purposes of statistics.

Further, all of these companies are governed by local laws on data protection, and any changes in their policy seen to transgress these laws can be challenged in Court.

Mobile companies or social media companies have no power to deny rights to children.

Cannot prevent medical assistance in health emergencies

Authentication is not possible without the user’s participation. Most authentications offer a varying range of access – from simply authenticating that the user is indeed the profile they claim to be, to access to reading their public messages, private messages or posting messages on their behalf. Still, no service will allow third party authentication to access core profile data and services – privacy settings, downloads of archives, authorizing access to others.
MFGT – and indeed all responsible internet companies that allow third party authentication – provide dashboards through which prior authentications can be reviewed and disabled if no longer necessary.

Disclosure of breaches

Breaches are a fact of Internet websites. However, responsible management of breaches invokes trust. Internet-based companies are required to inform users in the event of a data breach. Such notifications provide clear information of the extent of the breach and are invariably accompanied with password resets across the entire platform that require users to reset passwords using their authenticated email addresses to prevent passwords acquired in a breach from being misused. In the event critical data like credit cards has been leaked, instructions may even include asking for vulnerable credit cards to be blocked.

aadhaar fails routinely, but you are forced to continue using it

No equivalent

Section 57 of the Aadhaar Act gives the UIDAI virtually limitless power over an Aadhaar holder’s personal data.Through the e-KYC service, any other service provider requiring an Aadhaar linkage automatically gets access to the holder’s data without any further requirement of the holder’s consent.

Further, from 2010 to 2016, the UIDAI operated in a legislative vacuum, without any laws regulating its role as not just a data collector but also a data regulator. In this time, it is not completely known how many agencies (government or otherwise, Central or State) were given access to Aadhaar data by the UIDAI.

Children have been denied admissions, scholarships, even birth certificates for lack of Aadhaar

People have been refused hospitalization for lack of Aadhaar

Demographic authentication using Aadhaar can be done on the basis of a photocopy of any Aadhaar found in a random paper heap without the knowledge of the Aadhaar holder. Indeed, this is how inorganic seeding officially takes place. There is no way for the Aadhaar holder to control how much information of themselves is provided to third parties and no way to prevent it.
There is no easy way to know which services have been authenticated by one’s Aadhaar number. Even the authentication history logs do not provide information on authenticating services. There is no question of revoking anything. If you purchase a SIM with an Aadhaar and stop using it and it gets deactivated and reissued to someone else, it may still be linked with your Aadhaar.

Cover ups and persecution

Aadhaar numbers and associated demographic data have been exposed on a number of websites, many belonging to government agencies. There is no way for the public to report these vulnerabilities without facing persecution from the UIDAI, nor is there any protocol for Aadhaar holders to be notified in the event their personal/ demographic data has been exposed.

Even with the countless design flaws leaving Aadhaar holders vulnerable, alert holders could still take some mitigation measures like changing attached phone numbers or closing linked bank accounts and opening new ones.

Even this limited mitigation is not possible if there is no notification to the user of a vulnerability.

Bug bounties, bug reporting, prompt updates to fix vulnerabilities

MFGT have strong bug reporting mechanisms including “bug bounty” programs where skilled programmers are rewarded for finding critical vulnerabilities so that they may be fixed. This incentivizes legal profiting from hacking and reduces the lure of exploiting vulnerabilities found at the cost of legal risks.

Nowhere to report, reporting punished, ongoing vulnerabilities

Aadhaar has the opposite. People reporting vulnerabilities are intimidated, persecuted and/or prosecuted, while exploitation of the vulnerabilities mostly goes unpunished, making exploiting security flaws in the Aadhaar ecosystem more profitable and less fraught with legal risks than reporting them.

(Last, but not least, the idea that some entity doing something unethical is a justification for officially adopting an unethical practice is moral bankruptcy.)


Vidyut

Vidyut is a commentator on socio-political issues with a keen understanding of tech and policy. She has been observing and commenting on Aadhaar since 2010 from a perspective of human rights, democracy and technological robustness.

1 Comment

Sai Vishal · February 4, 2018 at 10:10 pm

Facebook
They make money by selling data.
aadhar – the data is stolen or used illegally with which people make profits or use for criminal actvities

Leave a Reply

Your email address will not be published. Required fields are marked *