,
34 tweets,
8 min read
Read on Twitter
As a Computer Science PhD from US u definitely understand PIN/password are not any kind of primary/foreign key while your biometrics & Aadhaar number are intended to serve as connecting key between all areas of your digital and physical world life. That's the privacy threat.
Further usage of thumbprint for official purposes had its exploitative perils for poor illiterate people because your thumbprint could be taken consentlessly with force or when sleeping or dead too. Signatures are different because they need your active action, mental involvement
Apart from forced thumbprints, forgery of thumbprints was tougher with physical media like ink on paper particularly in the age when artificial 3 D printed thumbprints not easy to make. With digital sensors & digital manufacturing, it is more or less trivial if you have equipment
And the cost of equipment is only going to go down if biometrics technology is stupidly made very prevalent in critical areas that facilitate lucrative frauds. So there will be absolute mayhem and you know it Mr PhD. Do not fool Indians on behalf of (((Western Thugs)))
So yes, with progress of technology, even old fashioned thumb print has become high risk and illiterate people must at least learn to sign. But Aadhaar scam of (((Western Thugs))) makes even literate people angoothachhap with absolute blow to both privacy and security.
The blow to privacy is because your collected biometrics, tied to Aadhaar not only facilitate a full digital life surveillance, but also real world surveillance with CCTVs etc.
And for blow to security let's look at your own sentence that biometrics are not secret. Let me add to it that biometrics are not changeable and that biometrics are always visible. All this make them entirely different from signature.
1st nobody can know your signature unless you physically sign somewhere. That document will typically be available to very few in trusted environment. On other hand EVERYBODY can see your biometrics all the time & surveillance systems constantly record them too in physical world.
2nd, even those who know your signature from a document they are privy too, would either need to be skilled at drawing to replicate it or must have special machines. Those machines are not common. And they usually have a constant pressure signature, hence detectable from real one
On other hand, Aadhaar type scam ecosystem would make biometric scanners very common and replication can be at digital level, or even using low tech gum, or using 3D printing. Either way, if it gets authenticated, it is as good as original. You cannot audit and catch a forgery.
Even if signature is forged,you can create some degree of protection by silos.Have separate signature for separate areas,so compromise at one area doesn't affect other areas. In fact by knowing which signature forged, u may understand which insiders may have compromised your docs
On the other hand biometrics are constant for life and same across all areas that incorporate the Aadhaar scam or incorporate biometrics in any other way. So you simply cannot have silos even for security. How Aadhaar scam breaks silos of privacy we already saw earlier :P
Now suppose you discovered your signature is forged, whether in one area if you maintained good silos or whether for all areas. Either way, it is possible to update a changed signature in all those life areas. It will be much more risk & work if no silos of signatures of course.
So while you can definitely recover from signature forgery as above, you simply CANNOT recover from biometrics theft/forgery. What will you do? Get plastic surgery? Mutilate your fingers? Operate on your iris?
So while biometrics compromise is almost 100% guaranteed for each person if Aadhaar stays, there can be absolutely no contingency or recovery mechanism. It's a GUARANTEED DISASTER AT SCALE OF BILLION PEOPLE AND YOU WILL BE GUILTY (AMONG OTHERS) PANDEY JI!
Another minor advantage of signature is, I can put a date on it and state a purpose. Aadhaar biometrics authentication is a blank cheque. I have no way to ensure it will be used for exactly the purpose for which I thought I gave biometric auth.
Next your article comes back to your original obsession "there is no biometrics breach from CIDR". That's not relevant Mr. PhD Pandey because as you yourself say your biometrics are not secret. So anyone can get a copy of the key. It's a HUGE INTENTIONAL DISASTER.
Then u pretend leakage of biometrics even if it happens has limited damage potential because it is not a secret. WRONG Pandeyji! That was old world where biometrics did not have much use because there was no Aadhaar. If Aadhaar stays, a compromise of biometrics ruins WHOLE LIFE!
So maybe if your PhD brain has not completely rusted, you will understand that Aadhaar should not exist because it destroys the same reassuring world picture you try to paint where biometrics compromise was not critical. Aadhaar ENABLES biometrics theft AND makes it DAMAGING.
So no, critics are not having any 'paranoia'. They are 100% pragmatically correct that Aadhaar biometrics auth is an unmitigated and unmitigable disaster at national scale.
Problem is not 'paranoia' of critics but 'purposeful stupidity' of PhD Pandey.
Problem is not 'paranoia' of critics but 'purposeful stupidity' of PhD Pandey.
In next paragraph you try to overwhelm the layman with gobbledegook jargon without really saying anything and in fact contradict yourself several times. You throw around terms which are not technical but legal jargon with no universal definitions. So we will start with Indian law
But first let's summarize your paragraph stance:
1) Aadhaar number is not confidential or secret but sensitive personal info
2) But must be freely shared when required (by whom?)
3) Publication of Aadhaar is not security breach
4) But unauthorized public disclosure is prohibited
1) Aadhaar number is not confidential or secret but sensitive personal info
2) But must be freely shared when required (by whom?)
3) Publication of Aadhaar is not security breach
4) But unauthorized public disclosure is prohibited
And then some rhetoric about bank account numbers & signatures being on every cheque and whether bank account can be hacked just by account number or Aadhaar number. Screenshot of full absurd para: 
Having seen your claims, the crux of your claims is in the fancy term 'Sensitive personal information (SPI)'. That term is defined in GSR 313(E) - Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
If you ask me, that definition itself is highly limited and hence problematic compared to global standards. But taking it for what it is, how exactly does Aadhaar number fit into it? It is not password, financial info, health info, sexual orientation info or medical records.
Although Aadhaar involves biometrics, Aadhaar number itself is not biometrics. So it doesn't get included under that head also. It can be considered detail 'related to above clauses' then.
So is Aadhaar number an SPI only when given with biometrics, financial or medical/health info, not otherwise? If so then it is a highly narrow definition because Aadhaar info does not stay in silos. It's evil purpose is to break silos.
But let's just say such narrow and dangerous reading by me is unwarranted. Let's say since Aadhaar number is given with biometrics, medical or financial info at some places, it's sensitive personal info at all places. Then let's see your claims against rules for SPI.
The condition after viii) is that if it is freely available or accessible in public domain, it's not SPI.
How does that reconcile with your irresponsible claim that any publication of Aadhaar is not security breach?
Same condition after point viii) of SPI definition also says SPI can't be something which is furnished under RTI Act. So that contradicts old claim of Pandey ji (if I remember right) that Aadhaar info of beneficiaries were displayed by govt sites under RTI Act requirements.
Anyway such slightly oblique nitpicking aside, here's a very direct point.Rule 7 regarding SPI in same document says prior to collecting sensitive personal information, option should be provided to not give such info! So how can you claim Aadhaar number NEEDS TO BE freely shared?
Dear lawyers @prasanna_s @sanjayuvacha @MishiChoudhary @gautambhatia88 check above how IT rules 2011 say that option must be provided to NOT give sensitive personal info (SPI) and the consent can be later withdrawn too. PhD Pandey says Aadhaar number is SPI!
So that means irrespective of SC Puttaswamy Aadhaar case verdict, by existing IT rules itself, we can refuse to give Aadhaar number anywhere and also ask to revoke consent delink etc wherever we have given Aadhaar!
