Aadhaar critics are not luddites

The CEO of UIDAI, Ajay Bhushan Pandey, has written yet another opinion piece in a newspaper, which bravely argues against established tech security practices.

While Aadhaar FAIL generally tends to ignore individuals and their opinions, it is important to examine the claim and competence of a highly placed public servan, who arguably occupies one of the most important positions related to technology in India.

The UIDAI chief writes that the fear of a threat to privacy because of the use of core biometrics (fingerprints and iris) in Aadhaar is exaggerated because biometrics are not secret information like PIN or password. People, he went on to add, must know that even the theft of biometrics in a rare eventuality will not put one to the same level of risk as the leakage of a password.

A threat to privacy, however, is not about whether the information is secret or not. It is about having the choice of what information we grant and to whom. The residents of India are not criminals that their rights must be waived away and they be compelled to grant access to their biometrics, and that too, to an insecure system, because of a system whose compliance with the Constitution of the country itself has been questioned.

This, in fact, has been repeatedly brought up by the judges in the Supreme Court itself, and Pandey had the opportunity of being the only non-lawyer allowed to present his perspective directly to the judges themselves. The judges did not appear convinced and continued to see the invasion of privacy as an important issue left unanswered.

Perhaps Pandey means to call the judges Luddites as well? A Luddite, for those unaware of the term, is a person who is opposed to technological developments. Dr. Pandey calling those who oppose Aadhaar Luddites betrays knowledge of the meaning of the term, because the technological criticism of Aadhaar has been actually backed by technologically sound arguments and evidence. In contrast, the bombast of the "Aadhaar mafia" as the proponents of Aadhaar are increasingly being referred to, due to ongoing unethical practices, are yet to present any factual rebuttal.

It is worthwhile to take note of some of the Luddites, as Dr Pandey would prefer to call them, who have been critical of Aadhaar. Justice K.S. Puttaswamy, retired judge of the Karnataka High Court and the original petitioner in the landmark ‘privacy case’ is one.

Vicram Crishna, one of the two Indians to help develop software to enable Stephen Hawkins to ‘talk’through his wheelchair, J.T. D’Souza, biometrics expert, Troy Hunt, a web security professional and regional director for Microsoft in Australia, French cyber security researcher Baptiste Robert who tweets as Elliot Alderson and Anupam Saraph, a respected inventor and advisor on governance, informatics and strategic planning are also among those who have publicly expressed their concern about Aadhaar.

Alderson in fact has compared unfavourably Aadhaar’s approach to security as a ‘school level project’. Mozilla, the organisation behind the Firefox browser, has come out publicly in criticism of Aadhaar. And in case more critics are to be named, one can cite the names of legal scholar Shamnad Basheer, Linux consultant Anivar Arvind and Samir Kelekar, who has a PhD in computer networking and holds three patents related to mobile security.

It is an irony that while critics of Aadhaar seem to have impeccable technological credentials while the UIDAI chief, who has the gumption to call these critics Luddites, himself doesn’t seem to understand the difference between private information and secret keys despite repeated explanations.

For his benefit, let me repeat the explanation. When you use a key to control access or authorisation, that key must be secret and not merely private. Just like guessing where you were on Saturday night or knowing the name of the street your home is on should not allow people to create a bank account in your name, lifting fingerprints off your glass of water shouldn't allow them to create a bank account and launder money in your name either.

A secret key must be one that is known only to the person who is the rightful owner of that access. In the event of a breach, it must be readily revoked and replaced. It must be unique. Just like you don't use the same password for your Twitter and netbanking, you should not use the same fingerprints for your PDS and money transfers either.

This is not very difficult to understand. If Dr. Pandey is not able to understand it with so many explanations provided repeatedly over years, perhaps he should undertake correcting the deficiencies first before holding a technology related job.

Till date there hasn't been a shred of factual explanation for why the criticism of Aadhaar is incorrect, while there have been various face saving measures because the UIDAI has no answers for valid criticism. Like the farce of "Virtual ID" to protect privacy after Aadhaar data has already been proliferated with little caution. If he has any factual explanation to show how Aadhaar does not violate privacy, he should not have kept it a secret from the Supreme Court.

While he is at it, Dr. Pandey should also name one private corporation that would pay the kind of money Aadhaar has cost the country for the quality of work on display. One corporation that deals with sensitive identity information or access to financial transactions that would be willing to risk access being protected by something as flimsy, as unrevokable, easily leaked, private information.

When public funds are used to subvert public interest, criticism is inevitable. Calling critics names cannot stop it.

Sorry, sir. "Fikar not, all is well" does not quite answer the mounting criticism.