 that it was overwhelmingly depressing and it dealt with, you know, CIA illegally spying on people and Julian Assange being under constant surveillance and you think it cannot possibly be worse, but it can because our next speaker is going to tell you about systems for collection of biometric data and digital identities and how they can potentially make lives worse not just for dozens of people but for hundreds of millions of people or billions of people. So let's hear it for Kiran Jano Agada. Yes unpacking the compromises of ADAR and other digital identities inspired by it. Kiran is the founder of Karana Projects, an organization examining identity programs, so he's going to tell us about the most depressing thing you're going to hear in this room today. Thank you. Thank you Kiran. Thanks everyone, I'm glad to be here. So let's get started. Well as always these things start with an origin story. So in the beginning we did not have identity cards. Everybody knew you by your name or your face. And then things got a little complicated and we got ID papers and before long this was a meme. Where are we? Okay, come on. Technology doesn't like working and it doesn't want to work. Yes, so we are hackers. We like to think all problems can be solved by hacking and a decade ago in 2009 in India some of our kind looked at this ID paper problem and thought there has got to be a better way. And why do papers have a life of their own? What happens if you lose your papers? Do you not have identity anymore? What happens if your papers are confiscated? Does that change who you are as a person? And how do we think of this in a better way? And so for inspiration you can go back to the voyages spacecraft. When the voyages spacecraft left earth for outer space it carried this image on it. Now this is the aliens edition of showing ID papers. You know, who are you? Humans. This is good for outer space then why can't we do something like this on earth? And so these people started asking why do you need to see my ID? You can see me. My body is my ID. So this is nice but bodies can't go online. And so you need to know somehow extract the soul of a body and take it online. And this is not an ideal reference. This is in fact how they think about it and this is the statement that they make explaining how they think about this that your soul your atma can be uploaded into the cloud and then exists online. And how do you do this? Well the approach that they took up was to say collect all your biometrics. They take your photograph, they take your fingerprints all ten fingers, they take two iris scans and they give you an agar which means foundation which is supposed to be the foundation of the rest of your life. This is quite literally now how you enter cyberspace in their vision. Now if they want so much data from you what more could they possibly want? And this is something that worried the judge of the Supreme Court of India who went on to ask see well are you going to do this next? Now at this point you're wondering is this satire or is this science fiction? Well nope the database of the build has 1.25 billion entries in it and this is how they announce that number with a Christmas greeting. So where do they keep this data? As computer programmers we often struggle to explain technical concepts to a non-technical kind of audience and this is sort of what happened in the Supreme Court of India when a case against Aadha was being heard last year. The attorney general Mr. K.K. Vinogopal who was 87 years old at that time explained data storage to the justices of the Supreme Court explaining that it is stored behind in a complex that is walls that are 13 feet high and 5 feet thick therefore it is safe. So as you can expect the public from this very funny and since then 13 foot wall is a meme in India. What are you doing? Well it's behind the 13 foot wall so nothing to worry about but this isn't your word jokes. So we can go back to Arthur Clark who made the statement you know that any sufficiently advanced technology is indistinguishable from magic. Your average person does not understand how technology works. So to them technology is magic and this essentially then means that we hackers who understand technology are society's magicians. You've got a magic wand, you wave it and problems are solved and this is how people think this is supposed to work but we know better. We actually know how technology works and we do not we know when technology does not work and it is imperative on us to call it out and that's what I'm here for today to explain to you why this technology does not work and what we need to be doing about it. So let's start off with the basics. What does other actually collect? This is their rough database structure. They collect biometrics and they collect demographics. In the biometrics they classify them into two components the core biometrics which are your fingerprints and your iris scans are considered extremely confidential data and will never be shared that's the mandate that they offer but your photograph which is also a biometric can be shared because it is after all what goes into an identity card. The other part is the demographics. They collect your name, your date of birth if it is known. A lot of people in India do not know when they were born. They are your gender. You can't declare yourself as a transaction that's accepted in the other system and then they collect a postal address and this information is what you submit when you enrol. Your biometrics are then sent for deduplication against the entire database so there are billion plus records in there. If you write enrol today they will compare your biometrics with every single record already in the database to confirm that it's not already enrolled. Now this is a process that takes roughly about 45 days so that's how long it takes for them to confirm that you are a new enroly and you now have another number that's guaranteed unique and anybody can apply. The only requirement is that you physically present in India. The law says you have to be there for 180 days but nobody checks so you can just walk into any other enrollment center sign up and you will have an ID. The number when it is assigned to you is sent to you by post. You do not get notified online and the letter that they give you it looks like this is essentially the way they confirm finally that your address is actually real because if this was your address you're supposed to receive the card and therefore your proof of address is confirmed. This as you can expect is a serious problem for migrant workers who cannot guarantee where they're going to be when the letter arrives but we'll get to that later. So the API is available. There are three basic APIs. There is a demographic identification API which unfortunately mistakenly called an authentication API even though it's not. In what you do in this API is if you're calling the API you submit an ADAR number and you submit a piece of demographic information like you say this ADAR number and this name do they match and you get a yes or no answer. You do not get any information back or you can do this with fingerprint authentication. You actually upload a scan fingerprint and in ADAR number and say do these things match and you get a yes or no or if you cannot take a fingerprint for whatever reason you can ask for a password to be sent to the phone number that's been registered and you get a six digit number give the number and the other number and say do they match and then you verify that somebody gave you the right one-time password and therefore you authenticated them into their account. All three of these APIs do not give you any information from the database except there's another one called the electronic know your customer database which is used for ID checks for institutions like banks where you do get the information back but we'll get into that again later. Now if you take just this minimalist API see very little data collection apart from biometrics very little demographic connection and nothing is ever written back outside of the KYC API. So on the basis of this minimalism the unique identification authority of India claims that it cannot be used for surveillance because it does not know anything. This is a public claim that they repeatedly make except for one little detail the other number itself is now a universal foreign key because that's what you use to authenticate with other into some other database and who runs those databases as it turns out it's a government again most of them are run by the government. So if you have a government that is really interested in surveillance and a department of the government runs an ID program which it claims cannot be used for surveillance what should the government do when it really wants to use it for surveillance but they make it mandatory for everything and that gets you a situation where Aadhaar is officially voluntary but in practice mandatory which leads to the next meme in India. Aadhaar is voluntarily mandatory so let's look at what it's mandatory for. It is mandatory to collect any welfare benefit it is mandatory if you want to pay tax or rather file your tax returns. I mean nobody will ever dare say we will not take your tax money. To file your tax return you need Aadhaar. If you do not earn enough to file taxes and you collect welfare you need Aadhaar so that's like everybody's covered. To get a birth certificate for a newborn baby you need an Aadhaar for the baby. To get a death certificate for someone who's died you need an Aadhaar number for the person who died. If you want to get married well both parties have to provide an Aadhaar number and at this point it's like what's left? Who is it optional for? Now the death certificate part is interesting. How do you verify the Aadhaar number of a dead person? You can't take the fingerprints. I mean the dead can't consent. Apart from the fact that your technology will stop working once the body gets cold. You can't send a one-time password to a dead person's mobile phone because that's indistinguishable from theft. My phone has been stolen and somebody declared me dead. I mean is it is it acceptable? So they in fact do not have any authentication for dead people. Someone's dead. You can't get a death certificate without providing an Aadhaar number and well they didn't sign up for Aadhaar in their lifetime so what are you going to do now? You just submit any random number. Sometimes you submit your own number. Sometimes the coroner submits their number and so now what you get here is your first instance of a database that is supposed to be a biometrically secure and authenticated completely failing to do its purpose because this is a use case that was completely not considered. This is not unusual. The APIs I just described require a license. That license is almost impossible to get. So what do most people do? Well they just take an Aadhaar number and put it in the database. They don't bother to check anything about it. So part of what happens here is in the implementation of Aadhaar there is this recurring confusion between three very different concepts identification, authentication and authorization. The fact that you can accept my ID and confirm it's legitimate is not the same thing as confirming that I'm the holder of their identification and it's not the same thing as me saying I'm okay with you doing something in my name. These are three different things. I'll give an example of where this can go massively wrong. In 2017 the telecom regulator issued an order asking telecom companies to authenticate all of their customers to make sure that there were no SIM cards issued to people that they do not know who they were issued to. So they forced an exercise across the country asking telecom operators to go find their customers and get them to authenticate with Aadhaar. Telecom companies have become so big in India that they're turning into banks and so this happened with one of them. And after this exercise a lot of people started complaining that they were not receiving welfare benefits anymore. I mean you authenticated your phone connection and your welfare stopped. What happened? So this this turned into a bit of a scandal and eventually we discovered what had happened. All of them had opened new bank accounts that they did not know existed and the welfare money was going to the new bank account. Here is how much the external fraud was and this is just one telecom operator. The telecom operator had obtained a banking license and they were desperate for customers. So when you went to authenticate your phone connection they used that authentication as authorization to open a bank account and reroute your subsidy money and you would not even have been aware of that. And so this scam essentially stole 1.9 billion rupees from 310,000 individuals for one telecom operator alone. I think the number is wrong. It's not 310,000. It's 3.1 million. I'm sorry. I'm lost by 1-0. So how do you make a mistake this fundamentally in your design? And for this year to go back to the what the attorney general said. You know the same day that he said that it's protected by a 13-foot wall. He also went on to explain what the whole point of Aadhar was. And as you can see the assumption made in Aadhar is that the individual is fraudulent unless they prove that they are not. That is the fundamental design assumption of Aadhar. So what it has essentially done is that it's very carefully replaced your rights as a citizen with privileges granted by the state for good behavior and that should have been a violation of the constitution. It takes people a while to realize that this is a very subtle change that they made that you were entitled to welfare under the constitution of India. And it was the state's responsibility to give it to you if you deserved it. But what they did was flip it around and say you have to be the person who proves your legitimacy to receive what is actually due to be you. And then we have a term for this. They call it the self-cleaning database. This is a reference I found in a book the first time I found an explanation of how they thought about this. So essentially for the state to hold you up to your rights requires considerable resources on the part of the state. And if the state's running a budget deficit well they're not going to deliver on your rights as they're supposed to and this is the fundamental problem of most developing economies that you may have rights but the state doesn't know how to give it to you because they're lacking the capacity. So what others to solve the problem is to say well if the state can't do its thing you must do it as a citizen. This is your duty as a citizen now to behave like a good citizen and show to the state that you are keeping your data clean. This is not a wayward reference while this is an author in a book pointing this out. In fact this is how the state explains this in the Parliament of India. The other system has a mechanism of self cleaning the data during course of time. So what happens when you aren't with people like this? If you insist that to collect your subsidies to collect your rations which is food that your rations food if you want to collect it you must authenticate biometrically and the technology does not work for whatever reason. Your fingerprints don't scan there is no cell phone connection. Something else has gone wrong. What do you do? Well it goes to bizarre extents. This is a new story where a remote village in India did not have a good mobile connection but somebody discovered that the top of the tree there was an internal connection and so they put a fingerprint scanner on the tree and now you clamp up and put your finger there and only then you're given food. This is one example but obviously there are lots of these so what happens if we can't do this? This is a dive. This is a compilation of reports of how many people have died because the technology failed. These numbers have been growing. Fortunately last year the Supreme Court insisted that if the technology doesn't work it is not the citizens fault and you must provide an alternative and I don't know what the current numbers are. I don't expect they're much better than this. It's probably as dismal as it is because the state really has no interest in upholding rights. So ironically enough the database design has no feature for reporting a death. The official FAQ says somebody or relative who has died how do you report it? And they say well we don't know how to record a death so just ignore it. So what happens to dead people? We start off with this talk of how your soul, your Atma is uploaded into the cloud. As it turns out now you become a ghost in the system and you continue to exist as a fictional entity in a database because they do not know how to record that you have died. This URL has a list of possibilities and problems that arise out of the fact that they don't know to record a death. So why are they doing all these things? And the logical purpose you know what is it supposed to do? It's supposed to fix a corruption problem in welfare distribution by ensuring subsidies are not misrouted and delivered to someone who did not deserve a subsidy. So the way they do this and this is an employee manual from 2014 is the next track and the basic idea that is part of the training for government employees is that you must record an Aadhaar number for every person in your database. So if you got like 100 million welfare recipients you are required to collect 100 million Aadhaar numbers. How do you do this? One you can go door to door and collect everybody's numbers. Or you can do what's called an inorganic seeding and they use the term seeding to describe the act of collecting Aadhaar numbers. So they have what's called an organic seeding where the beneficiary comes to you and says here's my Aadhaar number and then they have the inorganic seeding where you take it without their consent. It's in the manual. So they also claim this is foolproof because beneficiaries who are claiming benefits in the names of others such persons will not be able to authenticate themselves. After all you're supposed to do a biometric authentication before you take their name in the database. But when you're doing it inorganically you're not doing a biometric authentication. And so what happens there is they also point out that it is possible for the government employee to get it wrong and they're just you know possibility of life. So essentially thumbs up to the state, thumbs down to the citizen that's the design. Okay and of course bullying a person to comply is not the same thing as technology that actually works and fraud exists as a violation of technology itself. Here's a case where an other number was issued to a god. Okay and the letter was printed it was dispatched and the postman had to return it saying I do not know where to deliver this. So how does this happen? As it turns out the hackers who built this who are so proud of their biometric deduplication completely forgot about document verification and you can put a real person's fingerprints and upload a picture of a god or a dog or whatever else. There have been other numbers issued to cows, to trees, to gods and nobody checks those documents. You can be anybody you feel like. You can also get around it by not submitting a biometrics because well there are people who don't have fingers or who don't have eyes or whose eyes once can and what you do about them so in your technical design you offer a biometric exception. All it requires is an enrollment agent who's willing to accept that you have an exception and must feed it in the system. How many cases of fraud have happened using the exception route? Nobody knows. Okay out of the 1.25 billion enrollments that they claim how many of these are fraudulent? Nobody knows because nobody checks these documents. You can get a document in the name of the god if you like. Now it gets even more bizarre so this is from a news report and this news report very conveniently publish the other number itself which is a 12 digit number up on top. Other numbers are supposed to be confidential like they are like credit card numbers. If you have the number you can claim to have given welfare to someone so you do not publish your number in public. So this went out in the press and someone else built on this and got himself a gas connection. Subsidies. So Lord Hanuman the god has an other number and also buys cooking gas from the state. So at this point I could just go on and on with these stories like any manner of fraud you want it's in the system it's been exploited and the ultimate price obviously is if you can steal biometrics itself and that too has happened. So this is the case in the state of Uttar Pradesh where the police found a gang trading in stolen biometrics. There is a little bit of side story over there you know where at the top they refer to them as a gang and then below they become hackers and this shift in usage is not innocent. They use gang to refer to low intelligence thugs who are operating on the street and then they use the word hackers to refer to people doing a higher level act. In this case this part became an extremely interesting story for us to investigate because we discovered how bad the enrollment software itself was. When you enroll the enrollment agent is required to first authenticate themselves and then accept an authentication on behalf of the individual who is trying to get enrolled and the enrollment agent's ID is used to ensure there is a quality check. So you know if there's fraud you know who was the source of the fraud. It turns out that the enrollment client is built in Java and it's a bunch of jar files and the authentication module is a jar file. If you do not want to authenticate you replace the jar file with something else that offers the same API but does not authenticate and that's it you enroll. That's the quality of the software. So when you bring these issues up with the UIDA this is what they do. They are the Ministry of Denial. Every single time you report a story like this and say we have discovered a data breach, we have discovered a vulnerability, we have discovered something going on. Well they say well the data that we have in our database is safe is your copy that's stolen. It's effectively the CIDR is the Central Identities Repository and the CIDR remains safe and secure. Nobody has managed to break in. Nobody can use your other number without authentication. Official response every single time you report a problem like this. It's gotten so bad that the former boss of UIDA is a man named Ram Sevak Sharma who is currently the chairman of the telecom regulatory authority issued a public challenge saying hack me. I guarantee you you cannot. Now this is incitement to a criminal act. It is also a violation of the law to publish your own other number but he's the boss. He does it. Nobody says anything to him. It's a statement of his privilege more than anything else. So he went on to promise that he will not take action against anyone who hacks him but how the hell does a private citizen offer you immunity against a criminal act? So obviously nobody took him on and he went on to declare victory and all we could do was make cartoons. Yes we did. This literally was the only way to respond to a provocation like that. So once again you have to stop and ask how is it possible for such utter incompetence to come out of a democracy? I mean democracy is supposed to have checks and balances that prevent this kind of thing from happening. How did this happen? And one way to understand it is maybe other was never about welfare at all. Maybe it was never about giving people identity. Maybe it was always about the state wanting to make it convenient to identify people. And once you look at the timeline of Adaro where did this project come from? How did you create a project that goes on to enroll a billion people? I mean it can't happen just because people voluntarily came and said I love it I'm signing up. It had to be forced from them. What forced them to do it? So the larger timeline is just completely apart from where this came from and it goes back to 1999. That was a year when India went to war with Pakistan over a conflict in a region called Kargil in the state of Jammu and Kashmir and what the government of India figured is some people from Pakistan came into India passed off as Indian citizens and caused this to happen and so you can't let this happen. You can't have non-Indians wandering around the streets of India. How are you going to stop them? So the government's solution was well we're just going to integrate every single resident of this country and find out if they're Indian or not. So they called this project the National Population Register. It was meant to be a database of every single citizen of India. This was after the 1999 incident not recently. And then they had a second project called the National Registry of Citizens where you take the NPR data and go back and integrate everyone and see are you Indian or not. With all 1.2 or 1.3 billion people and then they lost elections. So 2004 they lose elections. The project basically doesn't move forward and the new government appoints a technocrat who gives it a new marketing spin saying look this is not about surveillance at all this is about welfare and we're going to make people's lives better and he goes on to create a fairly fantastic media profile to the point where the economist does PR for him. You saw what goes wrong with Aadhar. Everything that goes wrong and this is the economist last week essentially saying Africa should import this from India. It's economist. You can look it up. So you have one PR campaign running like this about how it's all for welfare and you have the government that sponsored this PR campaign who went on to lose elections again. And the party that originally created the surveillance database in 1999 is back in power now since 2014 and they're back on the original agenda. And so this month they passed what's called the Citizenship Amendment Act which provides a path to citizenship of India if you are from Pakistan, Bangladesh or Afghanistan and you're not a Muslim. That's the condition. The bill explicitly excludes Muslims from citizenship of India. Now this is very clearly a violation of the constitution of India. In fact article 14 which is the shirt I'm wearing here. This is my protest shirt essentially says that the state shall not deny equality before the law or equal access to the law to anybody in the jurisdiction of India. It is not restricted to citizens. It is applicable to all persons and the act that has just been passed is a violation of the constitution. Now we have a majority in government they can do what they please because there is literally no opposition to stop them which leaves it up to the people and as a result of this they have been protest all over India for the last month sample of news reports. They have been millions of people on the streets of India walking around asking for protest. Most people have not figured out that this is actually based on Aadhar because Aadhar is the marketing term for the project that is meant to surveil and separate the people of India into citizens and non-citizens based on their religion. So this is very tense. This is from the protest yesterday morning. Thank you Kiran. We have some time for questions so please line up behind the microphones and we also have Signal Angels who will pass on the questions from the internet and we're going to take one right now. Where are there any data leaks when the guy posted this number on Twitter? Well there have been multiple data leaks. I'll point you to a fairly interesting one. The chairman of the UIDI Mr. Nandan Lekhli thought so little about data leaks that he published his Aadhar number online many years ago and after subsequently being told that maybe this is not the best idea for you as a chairman of the entity to leak your own number he finally deleted it but the internet never forgets and you can find this on Stack Overflow today. So you just go to Stack Overflow search for Nandan Lekhli and you will find his Aadhar number. Consequences of leaks? Yes. In fact the estimate of the total number of Aadhar numbers that are leaked in public is well past 200 million. Thank you. Microphone number two please. Yeah first of all thanks for the talk. I think that Zivoregistry and public databases or public service databases of citizens are definitely a topic that we should discuss here more. The problem with this one is very very obvious but I'd like just to mention that many of the privileges that we as a community being grown up in a western let's say stable democracy we derive from having a birth certificate and being able to get an identity even if it's just one in paper. And there is a question coming right? Yeah. So I would like to ask one thing. Yes. Why don't they use the paper that is being sent out as sort of an identification thing like we have with our ID cards? For a simple reason that they really believe in this vision and they do not want people using paper cards. But also in terms of was this the first ID because you know India doesn't have comprehensive birth registration. The UIDA answered this question under the right to information act which is like the equivalent of the US freedom of information access. And in 2015 they explained how many times how many enrollments happened against other documents versus the person not having any documents at all. And the percentage level was 99.5% had at least two documents proving their ID. So this idea that it gave ID to people who do not have one is completely false as per their own admission. Thank you. Microphone number one. Do you generally oppose the idea of a central identification number or just the implementation by a flailing state like India? That's a slightly lower question. Yes. So the state always makes a huge difference. You know the quality of the institutions of the state make a huge difference. I was in fact having a discussion with someone here yesterday who pointed out that distrust in centralized ID seems to be a commonwealth phenomenon. The UK doesn't have one. The US doesn't have one. But Germany seems to have one. And most civil law jurisdictions seem to be okay with the idea of centralized ID as long as it's well regulated. So yes. So the nature of government makes a huge difference. And I would say I can't speak of the technology of whether it's being good or bad separate from whether the governance of it is good or bad. Thank you. Microphone number two. Hi, Kiran. Thanks a lot for the talk. If I'm not wrong, a few months ago, maybe a year ago, I read about this big democracy event going on in India. Now there is a few countries that are considering using IDs for elections to avoid fraud and all the sort of things. And I come from a country that has been trying really hard to implement an ID system that is reliable and helps to combat fraud in elections. Do you think this ID system can be somehow reformed to make the whole democracy process easier in India? We have a case study of this fortunately. So I don't speak from theory. So in India, we had a state called Andhra Pradesh which split into two separate states. So now they're called Andhra Pradesh and Telangana. And part of what happens when you split a state is that now you have separate elections for each state. And so you need to know who the voters of your state will now be in the new state. Previously, you had one voter database for your entire state. Now you have two separate voter databases and you need to know which person is in which state. So for the process of separating the database, they went ahead and collected other numbers and ended up deleting a significant fraction of the voter database because they couldn't prove that they were residents of the state. Assam is a different story. So the Andhra Pradesh and Telangana story is particularly illustrative of how if you think you can bring in a technological solution, you probably are going to make it worse. In fact, you're guaranteed going to make it worse. Thank you. Kiran Johnawaga Da. A round of applause.