Share this page!

Nemo Profile picture
Twitter logo
May 29 17 tweets 7 min read
This PR from @UIDAI yet again proves how Aadhaar is malleable beyond any scrutiny.

(Now withdrawn: pib.gov.in/PressReleseDet…)

A thread on the history of how this has changed over time.
@pramodkvarma (Chief Architect, Aadhaar) 's presentation in 2010 at IITB claimed Aadhaar will only have "YES/NO" response.

cse.iitb.ac.in/~comad/2010/pd… Presentation slide screenshot. Title: "...authenticate
@NandanNilekani (then Chairman, UIDAI) claimed the same in a presentation to the World Bank on April 24 2013.

thedocs.worldbank.org/en/doc/3653214…

worldbank.org/en/news/video/…

> Only YES/NO response, no details - no invasion of privacy.

The same presentation voids this claim by mentioning eKYC Screenshot of the slide number 5 from Nandan Nileni's presen
This lie continues to be repeated by @UIDAI on their official website:

uidai.gov.in/289-faqs/your-… Screenshot of the UIDAI website with the words "The UID
The eKYC APIs currently return:

- Name, UID, DOB, Gender, Phone, Email, Address
- Address in local language
- Digitally signed e-Aadhaar PDF

Aadhaar went from a "YES/No" system to a surveillance API in a span of years.

uidai.gov.in/images/aadhaar… (Section 3.4.1)
Another point of malleability: What counts as a "valid Aadhaar".

In 2013, UIDAI claimed:

>the cut away portion of Aadhaar letter is as an officially valid document

(This is wrong, the law says "subject to authentication")

economictimes.indiatimes.com/news/politics-…
This is a major issue with Aadhaar: A xerox is identical to your original Aadhaar, and holds the exact same information.

It needs to be digitally authenticated to be worth anything, but not everyone could do so.
So UIDAI "morphed" Aadhaar again to fix this issue by e-Aadhaar with a QR code for offline verification.

You can scan the QR and read the information on the QR code.
So e-Aadhaar showed up.

April 2017, from a UIDAI Circular:

> "downloaded e-Aadhaar should be treated at par with printed Aadhaar"

uidai.gov.in/images/uidai_o…
Now an e-Aadhaar by itself only validates that the information is valid, but it doesn't validate whether the bearer is the same person as on the document.

So photo were added into the e-Aadhaar QR code (which got signed). So, you could scan an Aadhaar, and match the photo.
Feb 2018: livemint.com/Politics/5Gr7j…

> UIDAI has recently replaced existing QR code on eAadhaar having resident’s demographic details now with a secured digitally-signed QR Code which contains demographics along with photograph of the Aadhaar holder
By 2018, Aadhaar has now gone from a "YES/NO" API to a printout that carries your low-res photo that anyone can still use for identity theft.

What about "PVC cards"?
Feb 2018, UIDAI Press Release

> The print out of the downloaded Aadhaar card, even in black and white form, is as valid as the original Aadhaar letter sent by UIDAI. There is absolutely no need to print it on plastic/PVC card or get it laminated.

pib.gov.in/PressReleaseIf…
Quick security aside: Your goal in infosec is to make fraud economically unfeasible. Fraudsters will always find a way, but you must keep the cost of an attack high enough for it to be unfeasible.

eg: Captchas are fallible, but its an economic barrier to what they protect.
(Twitter deleted the rest of my tweets, so re-typing)

Common security guidelines include things like holograms, watermarks (costly to forge). UIDAI decided against these by saying no to PVC cards. UIDAI twitter screenshots from 2016-2018 discouraging use of
In 2020, Aadhaar morphed again to offer a PVC card with the usual security features.

It costs 50 INR.



uidai.gov.in/contact-suppor… What are the security features of “Aadhaar PVC Card”?
However, the old Aadhaar printouts, letters remain as valid as always. No statement from UIDAI asking users to upgrade.

The world's largest Identity Program has ever-shifting security and privacy guarantees, but there's no accountability from UIDAI.

~FIN~

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nemo

Nemo Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @captn3m0

Nemo Profile picture
Apr 1, 2021
I wouldn't have launched this today, but @FinMinIndia has picked the dates as 1-10 April, so ¯\_(ツ)_/¯

Go buy a (tax exempt) Electoral Bond from your nearest SBI Branch and sell it for cash!

please dm if you you'd like to buy electoral bonds in bulk.

buy-sell-electoral-bonds.carrd.co
To folks asking if this is legal, this is from the last SC hearing, as reported by @the_hindu

>somebody could anonymously re-purchase the bonds from the original buyer and drop it at a political party office

thehindu.com/news/national/… Chief Justice Bobde then asked whether the purchasers of ele
Here's the ELI10 explanation of how it all fits:

Electoral Bonds are bearer instruments. Kinda like Sodexo coupons or cash. The person who holds them owns it. However, it is just a piece of paper with a watermark from SBI. It doesn't have your NAME on it (important)
Read 9 tweets
Nemo Profile picture
Jul 29, 2020
Re-ran my @BLRFoodCensus code again, and here are some *early and rough* stats:

Total restaurants: 14665
Temporarily closed: 546
Permanently closed: 9111
Still open: 5008

#Bengaluru has lost 2/3rd of its restaurants.

(Data via Zomato)
Just realized, this is likely inflated since this is "all-time-stats". Can't blame this completely on covid, as many of these restaurants were permanently closed before the pandemic.

Need to see if I have a older dataset to compare.
X = Month
Y = number of restaurants that are marked as temporarily/permanently closed that were last rated that month.

Then there are 5627 other restaurants that were never rated on Zomato, but are marked as closed - so I can't date their closure (yet). Bar graph. Raw data follows...
Read 9 tweets
Nemo Profile picture
Aug 6, 2019
Has anyone actually seen this mythical consent screen where @Truecaller asks you for consent to read your SMS?
@Truecaller Somehow missed this gem earlier from the TrueCaller T&C, which mentions Walnut as their Credit Partner.
They literally define Walnut as the "Credit Worthiness" partner.
Read 8 tweets
Nemo Profile picture
Jul 31, 2019
Thought I'd look at the @Truecaller app to see what changed to cause the bug (diff between 10.40.7 and 10.41.6)

Likely was just a accidental bug (see screenshot), but I found more interesting stuff.

Thread.
TrueCaller includes a lot of third-party SDKs. A few cool ones I found:

messai.in
Their website also includes this really nice snippet:

>Our customers range from startups to massive MNC companies and everything in between. They trust us with their privacy and as a result, we don't publicly publish our customer names and logos anywhere.
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(