There are seven questions we challenge UIDAI to give a proper answer for (and one bonus).
What happens when stolen biometrics compromise a person’s identity?
Consider the example of the bank officer whose fingerprints got duplicated and sold to provide illegal access to create and update Aadhaar cards. There are other instances when fingerprints of operators got misused. A simple solution for UIDAI is obviously to disable the access of those people to update the Aadhaar database, but who is responsible when their fingerprints are used to drain attached bank accounts?
Who is liable when people are forced to give their Aadhaar to entities that already have their biometrics?
Forcing the linking of Aadhaar with provident funds has forced all employed people to submit Aadhaars at their places of work. Any places of work that also have biometric systems for access or attendance will also have their fingerprints on record. People who use thumbprints on forms instead of signatures will be vulnerable wherever their Aadhaar is linked, with their fingerprints being on file. Who is liable for misuse of the Aadhaars of these people?
What prevents operators from collecting copies of biometrics?
While registered devices encrypt the data before sending it to the UIDAI servers, what prevents operators from independently capturing the biometrics using other software before using the Aadhaar application to capture them?
How many people selling illegal access to UIDAI database have been arrested?
There are people who have sold duplicated fingerprints of officers authorized to update Aadhaar. There are people who sold software to bypass the IRIS recognition in the Kanpur Aadhaar Enrollment scam. There are people who sold access to the Aadhaar database as exposed in the Tribune scam. All these are high level hacks. Not only does someone have unauthorized access, they are able to duplicate the access for others enough to sell it for a monetary profit. How many such people have been arrested?
How many Aadhaars have been cancelled because they were made by suspect operators?
Today the UIDAI has more blacklisted operators than active operators. How many Aadhaars created by these suspect operators have been cancelled? How can the integrity of the database be trusted when the UIDAI data itself says that there have been more problem operators than legit ones?
How can the UIDAI prevent misuse of Aadhaar for profiling when it has itself enabled it?
Aadhaar linking ensures that Aadhaar is not only used to authenticate accounts and verify identity, but to permanently identify them with the Aadhaar number. The Aadhaar number gets stored against records for everything from banks and phone numbers to schools, pensions, jobs, travel, insurance and more. Whether the CIDR stores the information or not is irrelevant when various other entities store the information AND the information will be cross compatible with other entities by simply matching the Aadhaar number. Claims of there being laws and rules to prevent it don’t fly, given that the very unconstitutional Aadhaar itself has become an epidemic disregarding the constitution itself. Clearly when it comes to data greed, the rule of law is mere lip service.
This use of linking Aadhaar, goes beyond merely authenticating and attaches the Aadhaar as an identifiable key to personal information across countless databases nationwide. This is not like Google and Facebook having our data, it is like MERGING Google and Facebook data. How can the UIDAI prevent it?
What use is your authentication log if authentication can’t be revoked?
What is the point of having an authentication log, if authentication done can’t be revoked? Consider the cases of SIM cards sold by getting gullible people to authenticate their Aadhaars multiple times but providing them only one SIM and selling the rest on the black market. Or authenticating their Aadhaar, but being unpleasant so that the person leaves without buying the SIM…. which is then sold on the black market. Can such a person REVOKE the authentication that was not used?
If a person finds that their Aadhaar was authenticated without their knowledge or them authenticating it, can they revoke the authentication to prevent the misuse and cancel the bank account or financial transaction or fraudulently issued SIM in their name? How?
Whose liability are the demographic authentications that you have now hidden from the authentication history, so that your gullible marks won’t even know when they’ve been exploited?
A bonus question:
What is UIDAI’s liability when Aadhaar serves as quality testing for biometrics scams?
In the case of the Police Entrance Exams scam, experts answering exams on behalf of applicants used Aadhaar to test the quality of the false fingerprints they would use for the scam to ensure that they worked. Is this a bug or a feature? What is the UIDAI’s liability when access to examination authentication or other applications where AEBAS may secure sensitive access is publicly available year around to test against and ensure that scams don’t fail for lack of “quality”?