Draft Aadhaar (Authentication and Offline Verification) Regulations, 2021 - uidai.gov.in/images/Draft_A…

Draft put for consultation 'silently' by @UIDAI on May 20, 2021 and closing by June 2, 2021.

Some highlights on thread.

@SFLCin @internetfreedom @nixxin
The proposed regulations will supersede the Aadhaar (Authentication) Regulations, 2016 uidai.gov.in/images/regulat…

Context : This is the regulation relating to Authentication coming after #Aadhaar Amendments and the Aadhaar Good Governance Rules 2020
TLDR - This regulations is around authentication framework, including offline verification appointment of requesting entities and AUA/ASA, Obligations of Offline Verification Seeking Entities (OVSE), eKYC guidelines, regulations around logs, audit, transaction data
On definitions - ANCS - #Aadhaar Number Capture Service is a new tech getting a mention. There are very references technical details of this service, which will run by @UIDAI. At the outset, does seem like OAuth endpoint being run.

Regulations without sufficient details is bad
Offline verification gets regulatory recognition.
4 types of offline verification. They are allowing paper copy to be collected, which is deeply problematic.

But regulations now seek redaction / black out of first 8 digits. Will we see this in reality? Take your guess
Authentication types - such careful wording to allow facial authentication, without explicitly mentioning that in regulations.

#CoWIN is the first large scale app to perform facial authentication.
#OVSE must tell the Aadhaar holder - the nature of information received during auth / verification, its use - in local language *AND* must provide alternate viable means of identification, and cannot deny / refuse any service.
Upon withdrawing consent, Aadhaar data shall be deleted by the requesting entity in a verifiable manner and an acknowledgement of the same to be shared with resident.
Capturing biometrics. It is to be noted that @AyushmanNHA is capturing facial data for #CoWIN facial authentication pilot - without the processes and specification laid down by the authority in public domain.
Side stepping a bit on facial authentication guidelines by volunteers. Yeah, you will not see any reference to UIDAI, but this is how all #Aadhaar tech was built.

Coming back - "In all modes, Aadhaar number is mandatory and is submitted along with input parameters" - is such a disregard to #VID. But this is where we see - #ANCS Token eventually replacing, but there are no technical details of the same available, while the regulation has it
Notification about authentication / verification to Aadhaar holder, including the case of offline verification, where OVSE should notify about verification. through email and/or SMS on mobile number and/or paper based
acknowledgement. Basically, get a slip when you share #Aadhaar
Chapter III is about licensing of service providers. Basically, any private entity fulfilling the criteria (regulated financial sector entities / telcos) + OTHERS(!) are eligible. Chapter also deals with responsibilities of ASAs
#OVSE - This is pratically every amar-akbar-antony entity in India that demands #Aadhaar.

1 (b) makes no sense, after allowing to collect paper copies of Aadhaar at the top.
Log maintainence -- While @UIDAI itself will keep logs only for 6 months, per SC judgement, @UIDAI is now regulating that private entities / AUAs will have to keep them for 2 + 5 = 7 years! #SaveOurPrivacy
ASA too will have to maintain logs for 2 + 5 = 7 years.

Missed a key point on consent. Unless explicitly opted-out, you have presumed to have consented to modified purpose!!!

This is #ConsentWashing #AutoTickBox by regulation
What the above means - Unless one explicitly opts-out of anything @AyushmanNHA brings - one is deemed to have consented for any purpose they modify - after one gave #Aadhaar for vaccination.

This has grave implications on health ID + tracking.

1.3 is specifically for @AyushmanNHA - Remember NHA is an authority *WITHOUT* Centre / State Act.

"Special Purpose Organization" is a new phrasing.

2 is all regulated entities in financial / telecom sector.

3.1.7 is strange - What is "Any other entity"?
Category 3 -- Any other entity of national importance as determined by the Authority - for #ASA (which are directly connected to #CIDR) access is BS.

Does the authority have powers to determine entity of national importance in base act @apar1984 @prasanna_s @PrasanthTweets?
That's a wrap on the draft. There are few provisions "on paper" which tries to gives better rights to holders (Like OVSE notification) - but sweepingly bad provisions undermine everything else.
#ANCS token reference from Aadhaar Authentication Application Security Standard (of JH SRDH) aadhaar.jharkhand.gov.in/Aadhaar_Authen…
#ANCS - There is very little technical detail on this OAuth(?) like implementation. "Please note that your Aadhaar number will be captured by the UIDAI’s ANCS (Aadhaar Number Capture Service) on their website" -- tells another search result.

Need more technical documentation

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Srikanth ஸ்‌ரீகாந்த்

Srikanth ஸ்‌ரீகாந்த் Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @logic

11 May
From one-stop shop to no-stop shop: An e-government stage model sciencedirect.com/science/articl…
Proactive service delivery means that the government delivers a service to a citizen when a life event occurs, without the citizen having to request the service.
Predictive service delivery - where the government predicts that a life event will occur and triggers a service before it occurs, with the pre-emption in some cases preventing a potentially undesirable life event from taking place
Read 4 tweets
11 May
Conceptual diagram of "State Family Database" Platform in proposed @TNeGA_Official RFP released by previous #ADMK government. Such privacy violating centralized databases destroy self respect of people and deny fundamental right to privacy. 1/ Conceptual diagram of SFDB ...
Request @ManoMLA @mkstalin initiate public consultation before proceeding with anti-people database projects initiated by previous regime. #SaveOurPrivacy #ScrapSFDB cc @WriterRavikumar @sindhan @SundarrajanG
Not only IDs reduces people as identifiers in ETL pipelines - They burn $ when snake oil is used for service delivery building a surveillance database. @ptrmadurai - Please don't get fooled by sub-contractors of consultants write databases / algos to tell how state must spend ImageImage
Read 4 tweets
11 May
A responsible opposition will highlight how government got taken for ride by agenda driven think tanks which when failed - point fingers about 'responsible opposition'.

Own up your failures - Billionaire funded think tanks
Own your mess up on tech-fetishness - You wanted Aadhaar based vaccination - while reality is - a much 'liberal' CoWIN that accomodates all IDs is spectacularly failing. ?
So who planned data will be with @AyushmanNHA and justified more surveillance. The only goof up was they thought one app is sufficient to do this.
Read 4 tweets
10 May
CAG has "External members" in Audit Advisory Board - Nandan Nilekani (and some of his colleagues) were in 9th Audit advisory board -
10th Audit Advisory board is here - Nandan is not there, but do you spot the problem? Image
Take a short detour on why having people from industry who deal with government - also sit on CAG audit advisory board as external members is a problem
Read 6 tweets
9 May
Unpopular opinion-We did terrible #AEFI-because #CoWIN was reduced to Aadhaar , facial recognition, vaccination certificates, APIs and what not - forgetting primary purpose was #AEFI management. Leave your hate for Prof, "Correlation is not Causation", think about the problem. 1/
The scale of #AEFI *from social media* is collated under #VAERS_India - by @bulletmanV

A proper #AEFI management would have meant - feedback loops to vaccine research, *that* much less loss of lives. Keep your *no questions on vaccines* koolaid at home FFS.
Forwarded as recieved. This is not some anti-vaxxer / economist writing this.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!