 I guess we will also repeat ourselves a lot because people will walk in and walk out all the time. Walking in will be consistent. I mean, happiness is real life. I am so used to saying I will be there at time and coming on time. The problem is people coming in from work, they can't control. They cannot get out of work at the time. Really? Really? Yeah, by the way, did you get any pinks from the London camp? At least two or three. Even after the articles? Yeah. At least two or three. Pink from London's camp? Yeah. At least four or three. Who? You don't get one. Yeah. Can we see later? Yeah. I will tell you later. I am usually a friendly person. I just have difficulty with products which have security issues. And if you look at it, I have always been a bit odd person even in the company. My job is to tell that the product security architecture is crude. It's not a very nice job but that's the way it is. The model is that you better get embarrassed by me inside, inside a closed room I am embarrassed by a person who's outside by a large number of people. It just seems to be very difficult for this project. If you even got the basics wrong, that is all there is to it. Okay, so I guess you start to ask me, how many of you here have a job? I go to something and you don't. You don't know? No. You have one. Probably in the back. Yeah, you have. So that's it. You can also start with a lot of interaction. Yeah. So what's your name and do you have other? Yeah. I think that is the great arithmetic proof that you have. Which means? That. My name is Rajesh and I don't have other. I am Kiran and I don't have other. I am Anand. I don't have other. I am Manivar. I don't have other. I am Rajan Chandi. I just got into other somehow. Great. I don't have other. I don't have other. I don't have other. I don't have other. I don't have other. I don't have other. I don't have other. I don't have other. Nothing wrong per se. Okay. I mean, if you haven't, you have nothing wrong about it. Okay. And so, you know, one next question is, what do you know about other that is caused to concern for you? What is the issue discussed today? So, it has a biometrics collection of all the individuals who are registered on it. And it's not really secure. I mean, data has been deep. There has been instances on the internet as well. Like, there was a famous one. I remember from Twitter that I was voting that data was being come out by just using this one of the KYJ documents. And so, I got to know, I mean, it's not very secure about it to pose a problem, not acted upon with any leaks that happens in the community. And it is de facto social security number as in the U.S. right now. And it's going to be getting first towards that state of the area. And to get there, it's necessary to make it secure because n number of things can go wrong with any individuals like with other secrets or other biometrics can be issued in any way. Because now it's all leaked everywhere, by red lights. So, what is it? First thing, the problem is, I was initially when they said, oh, this is not a big deal. But I have a plan. I have a license. I have a passport. Is this not enough? I mean, these were not enough that you had to bring in a whole new thing and then post it on everybody. That was the first issue I had. Then, of course, to security. And when I picked in all that, I learned data. That was not my first issue of course. But that, you are forcing something new when you can't fix what is already there. That's my biggest issue with that. That was the only one I could use. My issue is with, should I? Yeah. Yeah. In 10 people, how does it matter for you? That's the main issue for me is cross-linking. Why does my ratio shop need to know which same man you are? Why does my sim card need to know what's going on? If you link them all through the same key in a table, they all become joints. So, yeah. So, I think it's also worth noting that other attributes cause video is the key. The question is, does anyone believe it has a real key? How one can be sure there is not being linked? Is there a way to be sure? Yeah. So, that's the question then. Yeah. And I have maybe a hundred reasons for why I am opposing that. But when I am looking back now, my major issue is the totalist oil of digital concern and the absence of our presentation. So, it is affecting whole data privacy and all kinds of policy making in India? The absence of? Consent. Consent is broken in other. Actually, other is very powerful and it's important for us to understand who actually controls it. It seems like it's an NGO and things, but there may be some invisible powers controlling it and that can be a cause of concern. Some more accountability. Yeah. Who owns what data and how is it being used? And why someone cannot sew it? Because it's like a God to us. Who is the God? Somebody was comparing it to social security. So, it's easier? Yeah. Somebody was comparing it to social security, but you have laws that if your social security number is misused, you can approach the code and you will be paid some listing to balance it out. And then you can sew companies, you can sew individuals. But what we have is UIDI, only UIDI can sew UIDI, which is never going to happen. We all know that's a UIDI. That was my point while comparing it. Like there was no specific worst-hit laws, enforcement on that. Right. Getting the status of this. Without the framework. Without the framework, so they keep comparing it to things, but they don't really go into the depth of... There needs to be a framework. But even if you had a law, how many laws in India are immediately followed? And how long does it take to implement or actually enforce a law? Actually, if you have a law, it's an interesting point. Because I mean, everyone thinks that the law is one kind of thing. Actually, it's a collection of laws that we work with. So it's like you go to a hotel and there's a menu of several different kinds of food. It's all food, but all the food is not the same. Right? Some food comes to you in a state that you can immediately eat it. Some food is brought to your table and then you need to mix it together before you eat it. Or, you know, there's different kinds of ways in which... Similarly, some laws... Somebody has to complain against someone else for that law to come into... No, I understand a law being good. I mean, it being there. But in the case of our country, how many laws are there which are really enforced? No, that's what I'm coming to. So for example, if you commit fraud against me and I complain against you, I can use the force of the law to act against you. I can ensure that it acts. Right? Then there are laws where the state has to take what's called slow-motor cognizance, which means that it's a crime against all of us. So the state says this is something we must act against. And the state then ensures that the law is acted upon as it should be acted upon. The other act, the problem is that the law can only be called into action by UIDAI, by nobody else. And so then the question becomes even more exacerbated, which is, will the law ever be followed? It's like saying, I have to call the law into action whenever I make a mistake. So will I call the law into action against myself? That's the... Is Aadhaar beyond Supreme Court or not? Yes, it is. Because it still acts. According to the Aadhaar Act, nobody except the UIDAI... Sorry, no court can hear any matter connected to Aadhaar except when brought forward by the UIDAI. This is in the Aadhaar Act. I think this is unfair. So what it can do is you can't report a crime under the act. You can only fight the act itself. And so the act is unconstitutional, take that to court. I think that someone should do it. So those are ongoing cases. That's basically why the Supreme Court hearing has been postponed over again. And Aadhaar is getting linked with everything. So every issue you have to... You have to wait for the next meeting. Actually, I'd like to just kind of summarize what my problem with Aadhaar is. My problem with Aadhaar is on multiple fronts. If you look at how our state is set up, there's the legislative, there's the executive and there's the judiciary. Now legislatively, Aadhaar is deeply flawed because it was passed as a money bill which means the bill purposely circumvented Rajya Sabhaar. It was never debated in the Rajya Sabhaar. It was passed in a big hurry in the Lok Sabhaar without sufficient discussion. And usually money bills are reserved for matters of critical urgent importance. I mean, you have done this yesterday. So we have to get this done today. So let's not wait with you asking Rajya Sabhaar which is actually the place where senior statesmen sit. And Lok Sabhaar is supposed to listen to Rajya Sabhaar. That's why we have Rajya Sabhaar which has senior statesmen who will give us their political wisdom. But that was circumvented. So legislatively, Aadhaar is flawed. Executive wise, Aadhaar is flawed because nobody knows who is executing on behalf of Aadhaar. So UIDAI says, we are not passing any notifications. We are just the people administrating Aadhaar. Then you have the Ministry of Information Technology, the food and civil supplies, women and child welfare, all kinds of ministries passing notifications using Aadhaar to make something mandatory for a service that you need to claim under that ministry's jurisdiction. So the execution is all over the place. You are told that you go to the hotel and you get one meal and then suddenly nine people are throwing different kinds of food and you are not having a satisfactory experience. So executive wise, it's flawed. Judicially, it's also flawed because there is no legal recourse for the person who is the most affected by Aadhaar is the person who is giving up his biometrics, his eye scan, his fingerprints and trusting all his personal information. Once you link everything, my financial information, my phone numbers, which is all my private communications, my health information, my consumption patterns, everything and trusting with an organization. And if that organization messes up, I have no legal recourse. That's kind of why somebody that legislatively, executive wise and judicially, Aadhaar is like deeply flawed. And historically it messes up. Yes, yeah. Historically, I mean people complain, complain, complain and then a change is made saying from now on it will be okay, don't worry. And then people say, okay, the new system still doesn't complain, complain, complain, complain and then something will be done saying, okay, now it's okay, don't worry. And then again people say, well, with the brand new thing that you made, people complain, complain, complain and then they say, okay, now it's okay. Finally, now it's been fixed. So the latest thing, of course, that we've been hearing about is this Airtel Payments Bank fraud. And this, as of this morning, the UIDAI has chosen to only selectively terminate our Airtel's EKYC for the Payments Bank business of Airtel. But it's allowing Airtel to still go ahead with the EKYC for mobile phone SIM verification. So does that mean UIDAI says that Airtel messed up big time, but only the Payments Bank part of this organization actually is problematic. These other guys are good guys, so you continue to do it. What you did was wrong, so please stop doing the suspended license, right? It's stupid. We'll just give you and then decide what happens. Yeah, it's like you still with your hands, okay. Put your hands in jail, the rest of you will just stay on. The issue's not just that, because whenever the tech people getting involved and started criticizing, these people directed their whole tech documents over the time from the website. So, yeah, it includes... Fortunately, thanks to Archive.com and people who... They banned the site. He has a question. So when you say the Airtel thing is a fraud, is it really a fraud? Yes, it is. So here's how it happened. I understand the tick box and people writing their other numbers. I'll ask you a different question, which is this, right? You didn't open a bank account. You were supposed to review subsidy on your HBI, and we are talking not about you or me, we are talking about people who are really living by 5000 rupees a month for whom the 300-400 rupees subsidy is probably the biggest thing, right? In terms of... My point is, isn't it by design that the latest bank account link to your account will be used? It is. Yeah, it is by design. But it's not your account. No, no, the account should be... The opening was... I mean, they put a report check box beside it. So the design is a fraud? Yes. There's two parts to this, okay. Airtel opening a payments bank account is not something MPCA needs to know about. Because MPCA only cares about the Aadhaar Mapper. It doesn't control anything else. Right. No, because a Neftor and IMPS transfer is... account number is directly specified by the sender. So MPCA doesn't need to know that you have an account over there. Always knows which bank and which account number. It's only with Aadhaar Mapper that Aadhaar number plus bank is what MPCA records. Now, Airtel had no reason to update that line and say, hey, the account is not with me. It's... It's acquisition of Aadhaar Mapper. There is an... But my point is, is it really legally... There is something, no? No question also says that you have to inquire specific consent from the customer whether he wants that link. Yeah, I didn't find it. Yes. It's not Aadhaar Mapper. It's not MPCA. It's not Aadhaar Mapper. How do I know these things? These are all the things. Aadhaar Mapper. About MPCI. Yeah, but it's not probably... So, what is worth... So the UNGA believes this fraud because they collected 2.6 crore fine. So they are justifying the fine collection on some basis and we need to go look at the notifications and say on what basis are you collecting a fine because if it's not for all why you take a fine. And our NPCA, there is an APB mapper consent. So that means only from acquiring your, if you look at the post office bank account there is a consent for opening, putting your number in the mapper. So that is not offered by any banks. What is that sort of consent and how? You are saying that I gave my other number. I opened the bank. That is first take. Which is what we call KVSE. I am making an explicit judgment and me as an individual saying I want to open the bank with other. I am going and saying that I want to open a bank account. That is consent number one. Then the consent number two is not only I opened a new bank account, that bank account must now be linked with the other mapper which is maintained by NPCI which after which any payment made to the other number will come to that atel bank account. So there are two levels of consent. So these guys never took number one nor number two. No banks. And no one essentially takes number two. No bank essentially takes number two. Apart from post office bank. Apart from post office bank. No banks takes consent number two. Number number two. Everyone updates by default. You are saying consent there is a form and there is a tick box saying. Yes. Yes. Which is not enough. It is not only enough. It is not there. Yeah, I mean yeah. I mean I saw that on my atel app and I was like. No. Can I give you a comparison? You went to a shop. Okay. And you wanted to buy potatoes. Right. And you have said please give me potatoes. The shop gives you potatoes. When you come home you realize that they also sent you 10 kilos of onions and a car which has been delivered to your house. Now you never asked for those things. And you never asked for it to be routed in a certain way. So when we talk about the law. So you were saying is it in the law? The law is a complex set of instruments that interact with each other. So the other act is one thing. Then there are rules which there are certain bodies which are given powers to frame rules through the jurisdiction of the other act. Other act allows actually. Other act allows are using other number four any other purpose not to be defined by the set. Right. Yeah. But that's my point. Actually what we should do is go find us. Is it right? You already have corrected the five. Exactly. Exactly. Because let's go find the doctors. The doctors collect it. That much has been announced. Yeah. It may not be because of a violation of the law because that becomes criminal. Right. That is the point the lawyer would argue saying hey this is not in the law. We are going as per the law as state. We are being aggressive. That's fine. So think about it very differently in any contract. In any contract. Right. The way in which any contract law works is that you have to read the contract. I mean you and me are signing it. Right. You opening a bank account or you getting a SIM card is fundamentally not just other act. There is a whole bunch of other acts also which says that if you basically let us think about it. Right. Good old stories that you see in Hindi movies. Right. Some guy is signing his property when empty paper is being kept on the bottom and he signs it. That is exactly what they mean. Yeah. And he signs it. Right. Now you can go back and say oh is it being covered by the other act? I mean maybe or maybe not. But the fact of it is there is a whole bunch of other contract laws that are basically covering saying if consent is not taken while signing a contract people can even if consent is taken. A consent is not taken. That is point number one. Even if consent is taken I didn't understand what shit is this. So I signed. Right. That is also a whole bunch of contract laws which you probably violated. So it is not just this. Right. Other act is just part of I mean the other thing that you will be very careful is other act is not the only law. Right. Okay. Right. And just like this there is no other alternative apart from EKYC stuff that people are going around saying there is no other idea than other. Exactly. You have to go back and ask this question. This is not the only act around that has been violated. There are a whole bunch of other things that got violated. Sir this is a cross check. It's an interim penalty pending a national audit which means the charge will come afterwards. So we don't know if it is actually being considered as a violation of law is what I am trying to do. They have a point. There could be technicalities. If it were left to me I would consider this under section 420. No I agree that it is wrong. And to my mind it's without asking or consenting. Sir there are two things that we don't know which law they violated. Yes. Because nobody reported it so far. And we haven't seen the copy of the order itself. People complain to the LPG ministry. Sir. There are people complain to LPG ministry for their LPG subsidy going to Airtel Bangkok which is not in their control. So that's an LPG ministry issued personally stating that this much money went to Airtel Bangkok. That's how it is connected. All these oil companies complain. Yeah. Oil companies complain in this case. So do you just want to get into the technical details of how this thing works? Before then there are a couple of questions from the lecture. Sure. First one is this person says it's actually NPCI mapper with screwed up and not Airtel right. Opening of an account without consent was when Airtel screwed up. Yeah. So the NPCI mapper has a technical design issue which is what caused this problem. It does not require consent in the NPCI mapper. I think you should get into that. So there's something that came up in a live TV debate. I did a couple of days ago with Airtel Hota who was the previous CEO of NPCI. And this is something we have known from the way NPCI operates but he admitted this on there. And he said that essentially NPCI operates on a good faith basis. If a bank claims that they have your account then NPCI says sure then you must have the account. They don't check. They don't check. They don't require consent. You know. And that's basically what Airtel had used. That they use this good faith basis to say okay we have opened an account for this person who didn't know that they were opening an account with us. And we also want subsidies delivered here. And NPCI says sure. You're a bank. You're a member of our association. So we believe you. My question is to what some shady websites do where it is like this is a free thing and in some way in the terms of condition it says there's a monthly charge of 30 dollars or whatever. Yeah. So Airtel has a charge of 0.75 percent to withdraw the money. Exactly. So they're doing exactly what that says. But if there are laws that say this is wrong. Of course. Of course. The contract law. So forget about even other act. Okay. Think about this contract law. Right. You and me are employees. I'm basically coming and saying hey I'm paying you 10,000 rupees a month for services rendered or whatever it is. And somewhere along the after you sign I say you know what. But I read some more deductions and stuff like that. I mean contract law basically comes back and says no you can go sue me and saying no I didn't even sign up for this. And that's all there is to it. But here is the important part right. Where it gets very messy. So let's say I did this stuff and you can go and sue me on a whole bunch of labour courts and other places. However, if it is a crime that is committed where an other number is involved the only people who can sue me is the you and me. Not you. Not me. And that is where it gets very messed up. So without this what will happen is. Who can. Who can. If they choose to. Correct. So they who can sue you and they need to would be different. Yeah. Who can if they choose to. Is even worse. Even worse. So fundamentally what it really means is that if you are a person who got cheated because of all there is you can't sue me. And you have to go out to the third party who is basically running the entire team and he can choose not to listen to you. Yeah. In which case where is your recourse. Also the customer care for a service which is going to 1.3 billion people is just one phone number which rings in a call centre and they are not obliged to help you with anything. You can just say that we have taken down your complaint and we will forward to do concerned authorities. We don't know who the concerned authority is what action they take. It is not even complaining. It is mostly candle place. Yeah. There is. Yeah. Yeah. It is not even the registered complaints. I just like to bring it back to what Keira was saying about the MPCI. Yeah. You were talking about going into the technical details. Yes. So basically the typical way a bank transfer happens is if you have an authority like RBI which manages NEPC or NPCI which manages IMPS, the basic assumption always is that the sender of the money has an ID number for the bank and has an account number for the recipient and it sends it to the routing agency saying here is the bank's ID and here is the account number in this bank. Please deliver the money to them. So why transfer? So that is typically how transfers happen that you provide to piece of detail. Okay. And whether it's RBI or IMPS which is NPCI's. Or the Swift. Or Swift. Or doesn't matter. They work like this. What these people have done with the Aadhar mapper on the other hand is distributed to two levels. Okay. So now NPCI has one table called Aadhar mapper which has Aadhar number and name of the bank. Right. But not the account number. Right. Okay. And the bank has another table which has Aadhar number Okay. So what happens now is now when you transfer money to another number you send it to NPCI. NPCI sends it to the bank. The bank is supposed to figure out who the actual account number is. If they made a mistake and the bank receives money for someone they don't have another number for. We don't know what's going to happen. Maybe this goes back. Maybe it doesn't. We don't know. I mean it has to go back. So this is ridiculously stupid design. You know it's because you can't control where the money goes anymore. You know put two different agencies speculating this. Second thing is that as a citizen I have absolutely no access to NPCI system. Right. I can't choose which bank I want to use. Okay. Only the bank can decide this. So you have multiple Aadhar's going to the same Aadhar. But if you have multiple accounts in the same bank there is no defined manner by which you can choose which one is the opposite of Aadhar's subsidies. What about Aadhar's case where I have one Aadhar number at multiple banks. Yeah. Latest. Latest. That's what we were talking about. So the hack is to say the latest one will get it. So one of the things that they have done here is now you can see that you essentially removed control from the user. Whereas previously at least the center knew where they were saving the money. That doesn't make sense. You said NPCI has only Aadhar number and bank name. And bank name. Or the bank institutional identity number. Right. That is previously wrong. Now if I. If I. That was your money. That happens a lot. Now if I have. As per. Where does that money go. Who benefits from it. So. So the problem here that happens. Sorry. I just want to finish my communication. If I see. If I see my Aadhar number. Yeah. In bank A first. Yeah. Then in the NPCI mapper table. Yeah. Next to my Aadhar number. That bank's name is there. Yes. If I see in bank B next. Yeah. Automatically this goes there. Yeah. So it's just in a sense just changing the name of the bank. The name of the bank. That's it. That's why money should be sent. Yes. And after that it's up to the bank. To decide which account. I think there are two kind of AAPS. One is with the IIN and other is without. Directly to the account number. Yeah. So. I don't know. So AAPS have two different gateways. Yeah. So the default one is just Aadhar number. Yeah. Default one is Aadhar number and account number. Because all governments of cities. Yeah. Don't bother with IIN number. Yeah. In fact there's a law that says you're not supposed to allow. Send the IIN. Yeah. The NPCA rules. Specifically says that for subsidiary transfers. You must not specify the IIN number. Yeah. Correct. You must only send specify the Aadhar number. If you specify the IIN number. The request to be rejected. Correct. That's in their documentation. That is for the overdraft hook. The overdraft. That's to ensure overdraft hook. Overdraft hook. Overdraft hook. So now one of the reasons why NPCA came up with this really bizarre architecture. Is. As part of the PM's Jantan-Glozino scheme. Anyone who has only one bank account. That does a maximum turnover of 1 lakh in a year. Is eligible for an overdraft of up to 5000 rupees. Okay. Now the overdraft is given by the bank where you have an account. Which is kind of terrible for the bank. Because they're giving you a loan. Right. With no assurance that they will get repaid. Right. And no security. And no security. Because Jantan-Glozino accounts are also minimum zero deposit accounts. So for a bank to be able to give you an overdraft. The government gives you a guarantee that the subsidy will come to your account. Right. It's like a future sale. It's like a lane on your future. Right. On the future subsidy delivery. On the future subsidy delivery. What they call a day zero loan. Right. I mean the day before your salary you get a loan. Yes. They know that the salary. Yeah. So and NPCA is very limited. 5000 bucks is not a lot. But it gives the bank. So think about why this architecture came. Right. Because if you look at it. Every bank that opens a core banking account. Which is what called CBS account. Incurs a cost of 50 rupees. So 100 rupees or some number. There is a license fee for it. There is a license fee for it. Okay. So if you if most of the banks run the core banking system. That's a license fees associated for every bank account that is opened. And managed by core banking. It is basically 500 bucks or 50 bucks or 100 bucks. I don't really remember it. It's basically license paid per bank account. Per year. Right. Now think about it. If you are a bank. SBI. And someone comes and says I want you to open. 100,000. Jandana accounts. Zero balance. Okay. With zero balance. And you are like hang on. My cost for that is 5 crores. Where will I get that money? Right. So there is a cost to the bank. And banks are not very happy about it. Right. Because they are not going to get anything out of it. So the way in which these guys went and told them was. That look. If all the subsidies are coming to these zero balance accounts. You basically get some money. Which is the savings account. Casa account. You can get some interest on it. By lowering it to someone else. And normally that. Now you have an option of giving overdrafts. On the future subsidies. We will also come to that. And overdrafts are charged at 18%. 12% or whatever it is. And that extra interest that you get. Is fundamentally going to balance out the cost. That you are going to incur on a yearly basis. Right. So the entire scheme of Jandana has been that. A. Open bank accounts. B. Give subsidies to those bank accounts on a very regular basis. And cover the cost of the bank for doing zero deposits. And then finally. Ensure that it is overdraft as possible. Okay. Now the moment you bring overdraft as a possible thing. So here is the point. Why you why the subsidies not paid to the bank account. But to the other holder. You understand. Right. It has to go to the account where you have. Where you have an overdraft. Okay. Subsidiary is directly paid to the bank account. Tomorrow you can go back and tell it to him that. No. No. I want my LPG subsidy. Not on my SBI bank. In which case you have taken the overdraft. Then the bank loses it. Right. Whatever that. Let's say you took an overdraft and you walk it away. What will the bank have? Bank had nothing. Right. So in order to ensure that that doesn't happen. What this guy said was. Subsidiary must always be paid only to the other number. And if it is only paid to the other number. Who's going to hold the mapping between the other number. And which bank account it has to go to. It is NPCI. It is NPCI. And. So you can guarantee that if the bank says we have given an overdraft. Then nobody else will give the money. Okay. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Wait. Please stop laughing. Wait. Wait. Wait. Wil forget what you just said. You just said要 drawn the Aus які. Correct. This is how may count. Incidentally, I really missed this. So let us say that I am the last bank. No, so then what my question is, okay, let's say I am a Jandhan Yojana operational account. Correct. And I have taken an overdraft. Correct. Now, if I see some other account after my Jandhan account, it will not be locked. It will not be locked. It will not be locked. So every time you take an overdraft, so what happens is the bank, it's again about the control of the bank on the mapper. So what you have to fundamentally understand is you as a user or an account holder do not have any control, none whatsoever on the NPCI mapper for a specific purpose. A specific purpose was to ensure that you don't take an overdraft and you walk away. And hence the right axis on the NPCI mapper is fundamentally given only to the bank and not the end user. Now, this is precisely what Apple has abused. You understood? Right. Okay. What happens is, let us say you are one of the... Sorry, I lagged one more point to that. The right axis is given to the bank without corroborating consent for the user. Exactly. That is the important part. The NPCI operates on good faith basis. Yeah. All their banks are well behaved. And banking is not a faith-based industry. Banking is not a faith-based industry. Particularly, we are talking about loans. Loans. Bhagawan Pai Paro sir. So if you... Also this concerns people mostly like us in this room would have more than a lack of transaction. So we never need that. We don't need that. So it's changing all the time whenever we do something with the bank account. Correct. Yeah. And so the other thing now is that a payments bank, by that license, is not allowed to give you an overdraft. Overdraft. Right. So there is no point in them being in that damn mapper. Yeah. Right. Because they can't give you an overdraft. So what's the point with Janthak? It's not a payments bank. They are not connecting. They are not connecting. Okay. So fundamentally what happens is, what he basically says is, at a payment bank or any payment bank has no business, none whatsoever, to have right access to the NPCI mapper. Because they don't give you overdraft. Correct. Okay. And here's the worst part. The other interesting thing is, in order to take money from the payment bank by cash, you have to pay 0.65% or 0.75% share. 0.75. Who gets that money? Ethel. Ethel. Ethel charges you withdrawal fee of 0.75%. 0.75%. Okay. And there is no terminals. Huh? And there are no terminals. There are no terminals. There are no terminals. What's the ATM for Ethel payment bank? Oh. It's not like you're eating in a medium car, right? There is no ATM. You have to use the bank account. It's the other bank account. You have to use bank accounts. You have to use your bank accounts. You also have stores where you can go and withdraw cash. Yes, you can go to the Ethel store somewhere else. You won't understand that. Okay. But mostly... We use money in the back, right? Mostly that won't work because in Karnataka... Yes, at this point I've been losing my mind. Yeah yeah yeah, it happens. When the government substituted farmers subsidy into supposedly Karnataka bank accounts of farmers, it reached the title bank account. And most of the rural Karnataka there is no pressure for it. So then government didn't take rupees one transfer before the next transfer to ensure that everybody gets a subsidy and asked them to confirm they received one rupee. And then the next major issue was the farmers movement said, why we received one rupee subsidy? I heard this whole story last June. And this is not a story that is told to by a newspaper. This is actually a story told to us by the person who is operating the scheme in the Karnataka state government. It is also a news. It is not as big a news as it should have been. The point is that people only notice when they are the ones who got impacted. And last March, the same story I heard from the NRGP in Jharkhand. And also the other thing about the NPCM map, most people don't realize is that if you look at MNREGUP, the Mapagandhi National Rural Employment Guarantee IT. Now that also requires direct delivery into your bank account. Previously they used to do left transfers. Now they decided to do other left transfers. And so now the job officer who is handing out work goes around asking people for their bank account numbers, takes it down on a piece of paper, goes and uploads it into the NPCM mapper. And that's data entry errors. They have something called Consent Camps. Consent Camps. It is about Consent Camps. Consent Camps. Like a concentration camp, like Consent Camps. So in which every bank will come. That's interesting. So in that all the banks will come. The Adhark Consent is taken. The mapping Consent is taken because there is practical issues. Because every bank will not have the rural banking person in that area. That's why there is banking correspondence. Bank correspondence will not be there in that area. So some bank will take the Consent which may not even have local presence. So along with that there is another thing happened as earlier. People used to track the money delivery to the person by how does it reach his hand. For example the post of his delivery and similar kind of things. But now with cashless it is going to some account on his or her name. So individual doesn't know about this. Individual have a password but he don't know which bank it is going. And in many cases banks will not have a business correspondence in that area. So they may have to figure out new contracts and appoint the new person. Because Consent is taken earlier and bank account is open on the fly. So think about this very differently. So there are two parts to it. One is direct benefit transfer. Which people believe today as if it didn't exist before. So the fact of the matter is direct benefit transfer has been happening for a very long time. Without Adhark. And the way in which it used to work is a very simple thing. I remember it explicitly when the LPG thing came because they came and said Can you please give me your bank account numbers for the LPG ID. I don't have another. So when LPG thing came all the guys came and said On every scheme you please come and tell me give me a bank account detail. You see it and you're done. It will keep coming on its own. So the distinction and the difference is that I had control. I will precisely come and say that look this is the bank account in which I want my subsidy to be given. And let's say tomorrow I want to go and apply for some scholarship. And I'm eligible for getting some $10,000 scholarship in here. I will go and say that look this is the bank account in which direct benefit transfer to happen. I don't have a problem with direct benefit transfer as such. The problem happens is when you come back and say look You're going to add stuff like financial inclusion. You're going to add stuff like how will the bank make money. You're going to add stuff like overdraft. You're going to add stuff like how do I manage loan locks. Okay. And then finally you create such a system where the system is more tuned towards these fellows, which is banks rather than the person who's supposed to receive all his money. And I mean for most of the people who can afford not to get an LPG subsidy like me. It's perfectly fine. I'm leaving it out for a very long time. But you think in terms of what happened in MN Raga. The National Rural Employment Guarantee Scheme. Earlier they were paid in cash. When the whole thing started in one regime. I mean as you should have done with corruption. Some guy will take, some guy will not take and all. Then they switched to post office accounts. Which was far better way because at least there was some kind of a guarantee. And then they switched to bank accounts. And when they switched to bank accounts and then put his overlock and overdraft and all that kind of stuff thing. It basically allowed every single bank in the system to say. No I want all that subsidy of the guy here on my account. So this is where the NPCA map is. So you know understood how the abuse pattern spreads all around. And at the end of it, if you personally ask me. I don't have a problem with other aspects. I mean apart from all the other security stuff in terms of DBT. But you I mean in my personal opinion. I'll give it to you whatever you want. But privacy is not as big a problem for me. Compared to all the security polls. And the disaster it creates for welfare. You look at it. At the end of it you are basically creating a system. Which is not empowering people. To get what they are entitled for. Disempowering. Disempowering them. And I think that has been a fundamental. You look at it. Why is because when you shut it off. I have no problems with the DBT itself. But when you add it is overdraft. How will the bank make money. How will I sell insurance product for this fellow. And all that stuff. Oh bank has to make money. Then who has to fund this direct benefit transfer. If think about it very differently. If the PM Jandani was nothing. If the Prime Minister has gone back and told that. Okay I will find that 500 bucks or 300 bucks. Charge. Charge forever. You keep it. I think the problem would have taken care of it by itself. So if you look at traditionally what happens is. There is a cost associated with all kind of welfare schemes. Okay. And the cost is too high for government. To put it on the finance ministry's budgetary note. So they try to say it is free. And try to spread the cost to various third parties. Like banks. Third parties and banks and service providers. And those cases also can't take that cost. So they try to spread it to the actual person. Who is supposed to be benefiting it. So free for everyone who starts. Free for everyone who starts initially. And fundamentally everyone pays for it. The point you made about privacy and security. I would say the problems with privacy are there. Because there is a problem with the security. If somebody has my private details. And can keep them safe. Maybe I can live with it. Maybe I can live with it. The other part is also not understanding privacy in the first place. For instance and this is actually a problem that is a lot worse in the US. Because I don't know how many of you are familiar with the US banking system. So you know that in the US if you have somebody's bank account. You can take money from it. Is it? Yes. So one of the most common types of fraud in the US. Is somebody trying to give you money. Because the moment you give them a bank account number. To deliver the money into. They take money out instantly. So it's kind of ridiculous how bad their system is. Because people are afraid to get paid. You know from people they don't know. So instead they send it to PayPal. Or some other mechanism. That's why PayPal works so well over there. Their faith in the banking system is that broken. It's zero. So they have that problem there. And what we've taken that is taken the same idea and said if you know somebody's other number. You can claim to have given them something. Right. Because there's no validation of the fact. The other number is considered as all that is required to claim that I've given you something beneficial. And you can actually do that. On the UPI you can put someone's other number and send them money. Whether or not they want it. Yeah. So Google takes consent for. Sorry. They take consent for this. They take consent for anybody to associate the other number with your Google account. Okay. I didn't remember seeing that. Yeah. I think for people who are watching the live stream. That might be a good point to just stop and say if you want to resist other. What are the three things that you can do? One is ignore all the notifications demanding other. Because they have no force in law. Until March 31st. Until March 31st. Yeah. So basically. There's a stupid quote here on 17 January. So you know the story will change in January. So don't worry about it at all. Do not respond to anybody demanding other. So all the smaller cases tied to. Yeah. Everything is based on this one judgment. Yeah. Everything is all tied to the mother case. Every single thing. It's not one judgment really. It's one constitutional bench. Yes. And so it will pass orders on all. All those things. But all at once. Yeah. But that is 17 Jan starting date. So it will obviously stretch for several weeks because it's not a simple. It is not a simple case. Yeah. So judicially wait. Yeah. Wait. Do not link other with anything. If you don't have it don't get it. Legislative. Legislatively. Parliament is in session right now. And this is the time for parliament to act. Discuss our. And so a few couple of weeks ago we launched a campaign called speak for me which basically asked people to petition their MP. That's it. So you can go to the website. It's got a template email. It will tell you the game of your member of parliament and the remanitors. All you have to do is get the same button and open your own email client. Fill it out for you. So use it yourself. It is free for you. And what we're asking for is to be a member of parliament to do is to file a notice under what's called rule 193. Asking the speaker to initiate what's called a short duration discussion about our. So because I mean I think the reasoning is that because the other act was other bill which became the other act was passed in such a big hurry. There was hardly any discussion about it. But now that there are so many problems already 23. So far in the parliament. In this winter session have asked questions connected to other ranging from the BJP members themselves several questions related to other about nine MPs have already filed rule 193 notices asking the speaker to initiate a short duration discussion about our. What are those MPs? Yeah, I have the list. It's on Reddit. You just posted an update on Reddit. Yeah. There will also be a email sent out if you participate in the campaign. Yeah. But I mean all this. The emails are not published on the website later at the actual point of time. No, the thing is that you're sending it to a review, right? So this is not a try, right? Yeah. Because 180 you're sending it to a review. You're sending it to a review. Maybe a review. Maybe a review. So Rajan, which are you in that list? Let me check. No, I don't think I read that. So if you go, I mean, so just to recap, if you have faith in the judiciary, wait. If you have faith in the legislature, go to www.speakforme.in and petition your MP. It's a really simple process. You just select your state, your constituency, and there's a letter that's automatically addressed to your Member of Parliament. Send it that letter, asking them to file a Rule 193 notice, asking the speaker to reshape shop divisions. Or if you have a better way of reaching an MPI. Yeah. You're free to do it yourself. Yeah. You have his phone number. You note him directly. You know him through someone. Just ask your Member of Parliament who you voted for to discuss an issue that concerns you. That's two things. The third thing, Kiran, any number three? Well, if you have faith in the executive, good luck. So part of the way, you know, part of what's going on with Adha is when it was first conceived and the budget was originally made. The expectation was that it's going to cost a lot of money to build, but that money is lesser than the amount that's going out into corruption. And so the promise was that if Adha is built and it works, it will reduce corruption by so much. It will save so much money for all of these various departments. And that money can now be used to pay for Adha. And I'm not aware of the fact that it's coming from the consolidated funder figure. The reason is that this was B.Y. Because it's meant to come from other departments that are saving money now. See, the consolidated fund of India is basically the fund in which all expenses and income from the government comes and goes. It is like, so think of like a household, right? I mean, you have a household. A salary account. Yeah. You have a household, right? You have a household and whatever expenses that you're incurring on the household and whatever income that you're coming on the household is basically coming to the salary account or one or two accounts. I mean, think about it very differently. So consolidated account of India is nothing but think of India and entire Indian system as a budgetary thing. And whatever the government spends and whatever the government borrows and whatever the government earns is all going into the consolidated fund of India. That is the way in which you look at it. So if you remove the consolidated fund of India, there is really nothing called economy at all for the government. That's the way in which you look at it. So if you come back and say what they merely said is for anything and everything that matters on consolidated fund of India. Yeah, that is basically the key, right? That is all it really comes down to. But then the question, of course, you have to ask is a very simple question, which is, well, what SIM cards got to do with consolidated fund of India? Because the last message is coming from my pocket. What about the fundamental issue is that technology is seen as a punishable every evil there is and then not understanding what technology can do and what the risks are. It is just like, oh, there's this monolith called technology, which is like the drug for all diseases. And that's what we should do. Because technology can't be corrupted. I think that's the idea. But there is an entire field of study of this. It's called solutionism. So Kiran has written some really interesting articles recently. What about the difference between public information, private information and secret information? And in that, he talks about how we divulge our private information to other humans based on trust. But you don't know whether you can divulge, right? You don't know whether you can divulge your private information to a device because there's no trust between a device and a human being, right? Actually, not quite that. So this is an early internet problem. And part of what's happened is what the internet has done. And this is starting from the early days of the web in the late 90s onwards. Normal society has three registers that you will roughly operate on. The secret, which is confidential stuff that you do not want to share. Because if you share, there will be consequences to it. There's private, which is things that will help people around you with the confidence that they're not going to go broadcast it to the entire world. So any conversation you have in normal life is private in that there is some reasonable basis on which you trust the other party to not write it down and put it in the press. And there's public, which is meant to be published and you don't care about the consequences of being published because you're looking for it to be published. You want it to be published, you're probably worried about not being published rather than being published. The private register is the nuanced one. It's where the context in which this private conversation happens matters a lot. Like, if it's two people talking to each other in an isolated room, it's private to them. Once it was talking like this, it's private to us except it's not live stream so it's also public. We're choosing to make it public. If there was no live stream, I'd probably be a lot more confident saying things that I don't want on the record that I'm okay with saying morally. So the private register... That's why we also introduced ourselves in the room because it's a kind of social contract. Except a mystery man who didn't want to introduce himself. This information is private to us. So the other thing with the private register, which is this midpoint between secret and public, is that it's not one point. It's just an entire range of behaviors that deal with saying what is private over here. But one fundamental definition of private here is that it is certainly not secret. Because secret is something you define explicitly as secret saying I will certainly not share a secret in this room because that makes no sense. What I will do here will be private because I can't control what happens in this room. A password is secret. A password may be shared. Two people share the same account so they share a password within themselves. That's fine but it's no limited to those two people. So private is this thing that tends to not travel because of the manner in which it's done. Like spoken word conversations don't travel because nobody's recording them or writing them down and saying I will publish it like the way you said it. The problem is that the moment you go online there is no private anyone. You can do secret and you can do public on the way to become the private. Now this has been a problem that has existed for like 20 years now. 25 years. Yeah and it's something people have tried various ways to solve it with. Facebook for instance gives you controls that say who can see your updates. Like you can say this is a private post nobody can see it. You can say only my friends can see it. Only the people I select can see it and so forth. Or public anyone can see it. Now the thing is that even though Facebook does this it can't really control what happens after it's seen by someone. Because text you can copy waste. You can screenshot it. You can screenshot it. You can do all kinds of things. So on the internet private as a technological mechanism which is completely broken. Doesn't exist. It doesn't exist. You can do various transactions to prevent it or you can depend on social good will. And saying that you expect good faith in the way that people keep private things private. If you can't expect it you get something like DRM which is this other horrible branch of technology that aims to solve the privacy problem by saying this video is private you can't copy it. So the other number is where the problem is. So the other number now is by design private. Private. Not secret. Not secret. Unfortunately. I think it's important to define that. So it's private in the sense that not everybody should know it. People who need to know can ask to know it. But it's not secret in the sense that nobody can answer for it. So it's half way. Follow up on that. So what happens if your other number is shared? So let's say I have a service provider. I'm probably an M&R worker, job site operator. I've got a problem. Somebody didn't show up for work and I'm missing my quota. So what can I do now? I'm supposed to show 10 people, only 9 people are here. I can put a fake number. I can put a fake number. Who's going to check? Now obviously if this fake number turns out to be somebody in other part of the country, I'm in trouble. Can I put a fake number of someone who's plausibly in this area? And he's not going to bother to check? Now that's the problem. You can generate a random other number and hopefully hit on the one that is valid and then put it in the database. But you want to be extra sure you should find someone who is a good suspect to put on and say I gave a benefit to this person. Now you can do that if you know the number of someone. So that's the problem. You can't leak your other number because it will be abused like this against you. Somebody will claim to give you a service even though they've not given it to you. That's a DBTL catastrophe. What another scenario is, how many people in this group have locks on their phone? The phones are completely unlocked. So if I got access to your phone, if I got access to your phone right now I would swipe up and have full access to your phone. Now imagine I have that and I have the other number. What all do you think I can do? I can own you. Want to try? Want to try? I can own you. But what if you do? So here is... We can move your money. We can change your passwords. We can open new bank accounts. We can get new SIM cards and give it to actual terrorists. That's the thing most people I don't think understand. What happens when my other number is shared that I do not see many people understanding. People keep asking, oh it's just a number. How does it matter? This is a great point. I think this is a great point to bring in people who do have RR already. What do they need? One is Lockup Biometrics. There's a website. Can you put the link in the comments or something? Yeah. There's an option there to Lockup Biometrics. So there's a link in the live stream for those who are watching. So Lockup Biometrics. That means that nobody can even if you put your fingerprints on that scanner or if somebody scans your iris it won't work. Because you have told UIDAI I am not going to use my biometrics to authenticate anything. That's called biometrics. The challenge I have seen in real life is to put one is that even if you haven't locked up biometrics a lot of time they don't work. That's another problem. But that's the biometrics side of the problem. The other problem is I have seen a lot of instances in my extended friend circle where they have locked the biometrics but they have had problems unlocking it or even if they unlock it it's not working. So I don't know the theory of that. Maybe it's the extension of the first problem. Yeah it is the extension of the first problem. So we don't know whether the technology works or that is what I don't know. Yeah. So there is no way to verify. That is another huge problem. There's no audio. All the linking infrastructure asks for biometrics all the time. The other thing that people with Aadhaar can do is okay even if you haven't locked up the biometrics if you are going to present your fingerprints on your wrist and whatever do it only once. Because every time... Actually there's a problem in that. It doesn't work. By design the first biometric error fails. We know that. It's in the specifications. So here's the interesting problem. This is the database with the billion entries. Are those billion living people or dead people? How many people have died since they enrolled for Aadhaar? We don't know. What is the death rate in this country? So you can look at the enrollment rate and do a correlation and say there must be a few tens of hundreds of millions of people who are with other numbers and dead and will never authenticate again. There's a data center that has all of these other numbers sitting in line and the moment you do a biometric scan it's supposed to look up your record and check if your fingerprints match. Except some of those records will never be used again. And the only way they know it is never going to be used again if it's not being used for a while. So one of the things that UIDA does is that they have a three year deadline that says that if your other number is not being used in three years it will go into government mode and they will move into three years and you put your fingerprint. Fingerprint? It says hey you are not in hot storage. Wait at the left side. Wait at the left side. So if you have not used the Aadhaar in the last three years. Yeah but we don't know if it's three years. It could even be six months or one year. We don't know that. This is a great way to reach the good architecture to the masses. How do you say it is great? It should work technically. It's a cash. What Kiran is saying is that this is part of the design of the Aadhaar. The design of the system is that the first failure is normal. It's okay to fail the first time. Not for that session. First for the session. Because we don't know when it takes it out of memory. We don't know what that gap is because UIDA will not tell us. It's national security. Maybe it is one year, maybe it's two years. You can don't use your biometrics to authenticate it. But only experience will prove because users may find that it succeeds. We don't know what the timeout period is. There is one more thing people can do which is signing the opt-out Aadhaar plans. Dealing Aadhaar plan zone. It doesn't have any legal standing. That's what it is. There is a petition being circulated on our channel. It's the Aadhaar.in where people are saying there should be an out option. That is. I have given my finger prints and I would like to opt out. As per the right to privacy, opt-out needs to be supported. It's not only privacy hits by choice. It's a voluntary thing. The problem is that other by design cannot really opt out because they can't tell if you opt out or not. I got an Aadhaar when I was in 12th standard. I did not understand security and privacy then. I was born these days. Nowadays we have pure born. Exactly my point. That was back in 2010 and until 2014 or 15. You did not need to use it anywhere. It's just like a passport sitting forever. I haven't ever used it. Now is the time when I started understanding this. And my first question was I do not need this horrible thing. How do I surrender it? There's no option. It was bad security design. Anybody with design systems. We'll know that revocability is key. Revocability is one of the basic things that you would see. Aadhaar opt-in is based on personal. Legal consent is estimated about 18. Aadhaar is designed with contempt for the individual. It is absolute. You look at the design. It is entirely meant to say that the individual is committing fraud and the state must protect itself from the individual. Every individual. Every individual. Exactly when it will work. If you say every individual has no right to opt out of this system which is which is going to uniquely identify that person. For what purpose? Actually that is not completely true. Because there is a problem with this. The other design makes the assumption that it only works if 100% of the population is enrolled. Problem is 100% of what population? What is population? What about economic gain? So for anybody who is a resident in India 182 days of war. That's how it works. Rajesh, that's such a very late change interaction because the systems are not designed for it. You look at the process they have no way to verify your address. They ask for your address proof. So I mean what I am saying is let's say miraculously today you are here and achieve 100% enrollment. Every single human being has an unheard of. They are actually very far away. But let's say miraculously there are babies going to be born tomorrow. There are people who are going to lose their fingers tomorrow. I want to explore this because this is an art club writing. So it's not done yet but it will be done soon. So there are design issues with Aadha. One of the assumptions is that Aadha has 100% enrollment. It's that any service provider has 100% compliance with Aadha. So the expectation is that say LPG the entire LPG database of this country must have 100% Aadha records. That's the expectation. Because only then will they find anyone who is coming in twice who is duplicated. Because once with Aadha they can't tell you that you are duplicated. The Aadha system can't find you duplicated. The LPG system must find you duplicated. And if the LPG system is doing their own de-duplication then there is no cost savings that Aadha is giving them. So for any service provider that has to do de-duplication without support from Aadha is not saving anything because that's the exact same problem they had before. So the promise of Aadha actually works with 100% compliance. Of each system. So therefore 100% bank accounts need to have Aadha's 100% LPG accounts need Aadha's 100% SIN cards. No, no. Bank account doesn't have a duplication for this room. So you can be underground. And they don't use any of these services. So this sounds like very typical gambling deal. You used the first bet. You are like okay I'll recover it when I bet the next time. It becomes worse. Okay there is now even more scope. You are like double down. Keep on doubling down until like there is nothing. Yeah there is a fundamental difference. Let's get to this. This is where it gets fun because this is the first exception they made that any system which has 100% Aadha environment will solve its duplication problem. Now this does not deal with surplus humans. Right. Because let's say you bring LPG subsidies. If you assume that you need LPG subsidies. And therefore they will get an Aadha and enroll in your LPG subsidy system. You are not according to people who don't need LPG subsidies. Now people who don't need LPG subsidies are anybody who doesn't live in India. Hey hey hey hey hey. He doesn't live in India. He doesn't live in India. He will tell us his story. So think about it. If you want to say that everybody in this country who has a phone number has Aadha and you have achieved your 100% compliance. Okay. You can't do anything about the rest of the world. You just want to ensure that people in India have Aadha. And you want to do this position of saying that if it turns out that this phone number is suspect for some reason I can go look up the Aadha number, find the person and also find every other phone number that's linked to them and so identify this person. This then becomes a problem if somebody in the US gets an Aadha number and register the phone number in India that is operated in India. But nobody knows the fact that this human is not based in India. It's just that it's somebody else's operational use. So now the second design problem is someone who has no use for Aadha having an Aadha number who's availed the service fraudulently and given it to some other person in India. That's called the mole. So they have no solution to this problem. Benami. Benami. So now this problem cannot be solved unless you make it impossible for someone to live without linking Aadha. And so this is now where the other push for Aadha comes from that every foreigner can get away with fraud because the involvement agent doesn't check your residency status. So all you need is when we start to India, go get an Aadha number give it to your friend, go back to wherever you came from. And that's completely legal. You can also do the illegal method of saying that just bribe your document verifier to take some fake documents. 500 bucks. 50 bucks. Depends. Depends very well. The problem now is that these people have set themselves up for the first level of saying this imagination that if you have 100% compliance your crafty problems will go away. Suddenly you realize that there are simple as humans outside India. And there are more humans outside India than inside India. I mean even with our reproduction rate we are still 16%. Now we have the new problem of saying previously we said Aadha is for residents without defining residents. Only when the act was passed as a very large stage requirement they changed the definition of resident in India. So apparently it's either resident or intending to be resident. It's not in the act. There is no such thing as intent. There is no consent, there is no intent. So in the act they are not defining intending. They define resident as 180% on the previous one year. Now they have a problem of saying you must cancel Aadhaar of non-residents. Because now that's a leak. That's a leak, no. And so now there is this crackdown on illegal Bangladeshi migrants having Aadhaar and what not. Which previously was not a problem because in the previous design they had not assumed that they were supposed to have Aadhaar. Suddenly you have this problem of saying no they can't have Aadhaar because if they do not depend on Aadhaar then they will commit fraud. Think about it. Having Aadhaar and not using it is fraud. So what it basically says is that I mean if anybody can suspend. And not having Aadhaar is also a problem. Yeah, yeah. Not having Aadhaar is a problem. You are messing up the 100% So the only way is to have Aadhaar and using it everywhere. The definition of resident versus non-resident. Right. So which is an impossible problem. They will solve this problem. They want this ideal closed border state like China where nothing happens. So think of this very differently right. This is another way of saying the same thing. The only way in which Aadhaar can succeed is that we have perfect 100% registration of all existing people today. Right. For all the services. And then we have closed borders. Okay. We have closed borders. Perfectly closed borders. And we get perfect registration of every single baby that is going to be born from today to tomorrow. And we have successful deactivation of everyone who leaves the country. And no one leaves the country. Now all these five combinations together is what we call as the Aadhaaritarian state. Aadhaaritarian state. Okay. 100% enrollment of all people today. 100% enrollment of all people tomorrow. 100% enrollment of the babies. No one goes in. No one goes out. It's perfect. Right. Or you get the whole world in Aadha. Or you get the whole world in Aadha. Which is also what they are trying to do. Which is also what they are trying to do. China. Not China. Tajikistan, Sri Lanka and some of the African countries to say that the Aadha is related to the consolidated fund of India. It's not. It's not. This is sales. It's not. Export and import also. See export revenues and import revenues of people essentially becomes taxation and taxation comes into consolidated fund of India. I mean downstream. We are paying for it but we are suffering from it at the same time. We are paying to a telephone company which is paying to the government. So what about security implications? For example, we link it to the same and if there is a data breach and then you can make it track like true movements and things like that. Data breach has never happened before. It happens about once a month. But we don't have an answer. It doesn't happen regularly but just once in a while. No, the others are more important. Data breach is forcing their way into a system. That is data breach. So there is malefine intent. Data breach is like somebody breaking into your house. So somebody wanted to break it. But what's more concerning is you not having the keys to your own house. So for example, if you want to find out how many times has your Aadha been authenticated today? By who? You can try it or how many times it was authenticated in the last few days or weeks? 6 months or 50 days? 50 times or 6 months? And it can be found out only through a website. So above farmers sitting in Jharkhand or whatever somebody who works as a... in rural cities. Anybody who doesn't use the internet cannot check this. Even those who can check it can only check the last 50 authentications or the last 6 months. Even that information tells you your Aadha was authenticated 17 times. Best of luck. It doesn't say who for what reason. What is the purpose? It either tells you it's a demographic or biometrics. Supposedly nobody knows the meaning or we recently checked it for Abhishek. So there are 4-5 columns one which says whether it's succeeded or not the other was authentication code which is basically just an Aadha number with some random digits. We don't know the meaning of it. Used by and authenticated or will tell you biographically. Yeah, you give me that. I will be able to decode it. Sure. Just send me that. I think this is more important No, they don't tell you they tell you that an authentication happened but they don't tell you who did it, why it happened and so on but there is a reason for that because they don't know. In theory. In theory. In theory. So they designed honestly this one is a lot more surreal than this 100% complex problem. So part of the UIDA design is this, the bug guys who designed it kept thinking and saying was we don't want to know so much we don't want to know your movements we are going to design it such that we cannot know. So what they did is they assigned this federated system of authentication where CIDR which is the common identities, depository, what registers, which is the main data center will not talk to the outside world except through a bunch of trusted entities who are called authentication service agencies. How many are there, 7? ASAs are about 30 odd ASAs are 30 odd So there are 30 of these ASAs, the authentication service agencies which are entities like NIC which offers it to all government services probably NSDL NSDL which offers it to all stock market so they have 30 of them for different purposes who are only allowed to service people in that domain. NSC can only offer it to government services government departments they can't offer it to anyone else so the first ring is the ASA network and the basic idea is that the ASA network is where all the aggregations happen so the ASA network serving hospitals will know nothing about ASA network serving government services will know nothing about ASA service offering to insurance companies and so on so basically then they cannot do cross relation because by now they are prohibited from sharing data ASAs in turn subcontract to another layer of it is called the AUAS the authentication user agencies the AUAS again subject to something called the sub AUAS so now the AUA has a contract with UIDA and UIDA in the contract says you will go through the ASA so that we don't know what you are doing because ASA will not tell us who it is for which AUA it is for it is just that we license you but you send it to somebody else so that we don't know that it is coming from you for the good of the people AUAS can make their own contract with sub AUAS and even UIDA doesn't need to know about this so the idea is that every state will have an IT department which will become an AUA so the IT department of the state will get an AUA license from talking to NIC which is the ASA and any government department in the state will talk to the IT department so there will be the sub AUAS each department is a sub AUA talking to the IT department which is the AUA and Delhi which is the ASA which talks to UIDA which is the center and so thanks to this federation there will not be any aggregation of where your authentication has happened so in the registry when they say that one demographic authentication happened somewhere all they can tell you is it happened somewhere they have no idea so they designed it like this saying that we do not want to know the problem is if they don't know even you don't know then they went and defeated this entire system this year because what happened is biometric fraud started that the fingerprint scan can be saved once and then replayed on the network because after all it may be called in the network how does the network know whether you are taking a research fingerprint or sending a scanned image so that scan started happening earlier this year Samir Koche reported it saying that hey look here is this bank that has shown me a demo of how they actually saved your fingerprint access bank so they said the guy went and reported it saying that hey look this is happening this is not supposed to happen so where they put an FIR on this man you are spreading falsehoods about other and he still called the police case on him by the way he is still very angry about it he is still very angry about it you look at his tweet stream every time some other news comes up he says you can go but they harass me for reporting it that is an important point to make if there is other related fraud not only do you have no legal because but you will be harassed for reporting it you will be harassed so this happened so Samir Koche reported it you idea went ballistic they filed an FIR against it and they said we will not allow biometric authentication anymore without registering your device so they introduced this thing called registered devices that they have put out was to say to prevent you from capturing or copying the fingerprint it will be encrypted in the hardware itself and only encrypted packet will come out of the hardware so that you can't replay it because you got a time stamp admitted in it so they put this out first then they realized that this means you would replace every single biometric scanner in this country so then they chickened out and said no we will not do this we will do a slightly simpler version where the encryption happens in software so now we say it will come out of the biometric scanner using existing hardware with no encryption whatsoever but as soon as the computer reaches it will encrypt it and look at it and say are you guys nuts I mean what is stopping me from sending it as a scant image back from your biometric scanner and you know how easy it is to do it so in case you guys don't understand most of the biometric scanners are fundamentally usb devices and usb devices and usb devices can be emulated in software so the way in which we so if you are a usb device developer let's say you are developing a mouse and you want to plug it the mouse into the keyboard you are not stupid to go and actually create a mouse and write a device driver and all see the way in which hardware and software works is very different you first make the software and then you make the hardware and then you test all the driver with the software and then you actually go and do all that work and then fundamentally all usb device driver development happens in software and for you to happen in software you have to emulate it which means that we create a dummy driver in software and say hey here is a usb mouse and send all the command packets saying oh it is moving on x,y,y,z and all that stuff here is the most interesting part let's say I give you a scanner a fixed scanner which is not a registered device I put it there and I can send the same image back from a usb device which looks like another scanner what will prevent you from that that is not the interesting part the person who is providing is not here in somewhere else at that point the person who is providing the fingerprint it is their responsibility to know whether it is a how will they know I completely understand they won't know but essentially that is who has the responsibility it is the citizen who is responsible for the fraud now so it is like this is not the best part the registered device requirement is that every single owner of a registered device which is the shop in which it is located must register it with UIDA and the software that UIDA supplies will encode their registration ID in the packet in the packet so now what happens now is that when this scanner is used and from December 31st I think it is mandatory to use registered devices henceforth so now when you put your finger on a registered device which has now become mandatory it is immediately encrypted in software on the computer which has a device ID on it and obviously the device ID has pre-registered with where is this device supposed to be located who wants it what not it is sent through this entire federated network which is supposed to mask its origins to UIDA where it has a nice source ID saying it is sent to this guy and he is in this location well they precisely know what is the point of that entire 300% network of ASAs, AUAs sub-AUAs if you also want a source that it came from somebody has made one so we don't want to know where your thing is authenticated but then the word is happening but we also want to know where and so here is the interesting thing that you guys need to understand in all systems which is presence less or electronic there is always a problem of balancing privacy and fraud ok so think about this very differently you are using a bank I mean I can defraud you and probably take the money from your bank and move it to my bank atleast there is an element of traceability if you call it but let's say you are using bitcoin totally decentralized and if I steal the bitcoin from you you can't figure out where it went or normal cash it is gone so cash is anonymous and hence fraud if it happens is impossible for you to trace unless until you have other ratios but on the contrary it gives you exceptional privacy but if every transaction is digital and everything is tracked then it gives you no privacy but it is atleast traceable slightly more traceable but there are ways to defeat it ok so here is the interesting problem these guys tried to say first we will build privacy they assume the fraud will never happen because their fundamental assumption is biometrics cannot be faked remember that the fundamental assumption behind this entire scheme is that biometric cannot be faked because people are not smart enough to do it that was the assumption the reason why the assumption came was is because it was designed for welfare and they contemptuously thought that these bums who can't even make 100 bucks how are we going to defeat my technical solution right ok now what happens when this entire thing became live and it went to a different set of population you are dealing with people like me who break security systems on a day to day basis how are we going to defeat you right and then you also improved the access in the sense that when you make it mandatory for everything it is now one big honeypot you are super lucrative you never do super lucrative stuff like this because now all I need to do is so think about this very definitely in the past let's say you are one of those Intrega fellows even if I know a Razar number and let's say I took your feature phone how much are you going to lose 2000 bucks 3000 bucks now let's say I am able to actually get the other number and a phone of one of those wonderful politician guys I own him right so fundamentally the risk profile has dramatically increased for precisely what right I think it is also important to mention this whole idea tying back to what you said that technology is unbeatable I think a lot of people feel that your finger prints are and this is also due to I think how our culture thinks of finger prints that you know your signature can be faked but your finger prints you know where somebody committed a crime and we got the finger prints and we figured out that it is only this guy because only he has these finger prints it cannot be somebody else's so I think there is this myth in people's minds about one is to one mapping of finger prints but what I learned recently from reading online is that when you authenticate using your finger prints in a scanner it is a probability response the software is saying probably this is this person's finger print because it can never be 100% sure that it is your finger print so the scanner the technology can only tell you that this is probably this person's finger print I think that is a really important point for people to because collision detection is something like like there was with MD5 I mean it is not 100% no but this is it means that it was a deterministic this is probability it means that all your other safety algorithms are all broken like you can't do cryptography at all with probabilistic outcomes also going back to whether you trust technology or a person let's say I recognize you I am capable of recognizing you if you have a big slash on your face because of some injury I can still recognize you but if I have a finger print and there are two big cut marks on my finger print it will fail so the technology does not recognize human beings in the same way that human beings recognize human beings any other reason why I am not having that for example I won't go into face ID but for example the organization where I work today there was a guy who had sent in a beard and today he just completely shaved it off half the company could not recognize it so I am saying that your assumptions that humans can I am saying that it works differently I am not saying that one is better than the other the correct way to understand this is you can evaluate the context and see if I don't recognize this person what is it and can I do something else to recognize this person whereas the machine will just tell you I do not recognize you it's binary the logic of putting it in PDS is more problematic because there is locally food available locally person available in between there is a system which can give a probabilistic response and that have its own set of failure modules including connectivity and various other elements so that's a typical system when you chain response is the error rate error rates kind of error rates increase compound another thing that is in the same area is that it seems like UIDI has put all their exempt two baskets one is fingerprints and one is ISGAM so for example this is the change that they try to make with DVD and say the binary is not required anymore no but basically right now if I need to go and authenticate my cell phone cell card I need either my fingerprints or my ISGAM now OTPs are out has it started for all of us because they discovered that fingerprints are not working but OTPs themselves are insecure that's another story there is the other part also that PDS versus DVD transition has been happening for the last 10 years PDS is an ancient system it's like 20-30 years old it's been around a while and PDS comes from the socialist state where you believe that the government must run its own parallel institutions to compete with the market which is where BSN will come from BSN will exist to compete with free market telecom companies because the government has this faith that the free market cannot be trusted so the PDS system originates in that era where you say everything from growing grain to delivering it into the mouse of citizens is the state's responsibility and over time it's proven to be a bad idea the state is just not efficient enough at keeping control of the way a communist imagination of a state was supposed to function so what's happened is PDS is a state subject the central government in the Manmohan Singh era decided that this PDS thing is not working we need to do something else it is time to dismantle it and go free market even in this zone while licensurization has been dismantled everywhere else it's not been done over here my idea is that if we said why don't we give people bank accounts and send money directly to their accounts and not create our own alternative to the market we just give them the subsidy instead let them figure out whatever they want let them figure out how to spend it so for example to translate that if somebody is entitled to 20 kgs of rice a month instead of managing this huge system just give them 20 kgs of rice instead we give them money for 20 kgs of rice that's it so the dbt system is the Manmohan Singh government's idea the central government does not run welfare in this country state governments do so the central government says let's dismantle PDS and do dbt they can't do it, the state government has to do it so part of their mechanism has to be to say ok we will make the states suffer for it if you don't comply so a PDS failure in a state is good news for the central the more people suffering on the ground unable to get their relations because their biometric authentication doesn't work central government is very happily going to sit and see you fuckers move now go to dbt, why are you doing this PDS nonsense so part of what's happening here and this is something that is not very well understood is failure is success for your idea because the central government wants it to fail the linkage of PDS being the first scheme to be linked to Aadha it's meant to be like experimenting if it fails it's great because then they'll move to dbt at least but here is the other the problem with that, the problem with that is the political economy of the country is deeply connected with PDS the political economy of the rural area is deeply connected with MNDREGA and where do you think all the reason troubles are all happening in the rural areas and what is the place where it got hit the demonization mostly rural areas and there is a place where they are going to be impacted what people actually thought during those times was not the same as now but you design a system you force it using NFSA for all these guys and you've got what you've got so dbt as an example on both NNREGA and PDS are not doing great and also PDS is based entirely on this biometric authentication dbt is meant to be about saying just link your bank account transfers will happen there is no biometric authentication technique anymore in the case that the technology for dbt was built later much later and so you had this super elaborate deduplication mechanism that your idea employs which is the only thing that can feel proud of you know because anytime you argue with one of these architects you talk about deduplication they get seriously offended because as far as they are concerned that is the only thing that works in their system does it does it it does it it uses that as well as it turns out deduplication works if the same fingers and the same eyes are used by two people no no if there is time we will come back to that you will laugh your heart out when I tell you that so they have very close problems you know so we are not done with the realm of bizarre they have device level problems you do an iris scan it's a picture if your eyes are done the same thing is captured if you have device level as a bug it sends a different picture back it damages the picture in some way and you will get a different other number you will get a different other number so it turns out they have device level bugs so people have been getting multiple other numbers because one version was captured with the buggy device level other versions were captured with the mobile device level so two different pictures of your eyes were captured even though it's the same eyes and two different other numbers have been generated this is the public record you can't deny it they have admitted it now that this happened no no what is your fault there are many people having multiple other on the initial days it's the whole thing multiple other is a problem only after the other act came into place before that there is no act leave this aside there is no duplication as well assuming that that stupid bug will not exist and it works well that's the one piece of them they will generate thoughtfully they spend a lot of time thinking about it so you go from there to dbt where the last bank gets to claim your account and it's on good faith basis what kind of technology is that that looks like you cobbled it up in one meeting one weekend and you know and we're done it looks and feels like it was built on a weekend so if you think about this on a drunk weekend no man because this elaborate biometric stuff that took multiple years to design and build and test and what not and you got this dbt stuff which was built so horribly that it's one database table with no audit or whatever and people say multiple parties having right access too having right access and no authentication required so this is another action that people who have Aadhaar can take which is if you have Aadhaar and if you have authenticated and linked to your cell phone sim card can you call them and check whether they've opened the payments back account in your name without a consent are they duty bound to disclose it I actually don't know because I know that Aadhaar has been caught and deemed partially innocent pretty purchase if you link the other with PPM they also became your default destination payment back somebody was also saying that if you authenticate using Vodafone the Vodafone payment back is called M-Pesa and that M-Pesa account was open for a person and they got a message M-Pesa wallet wallet is all gone so no payment back but my question is my question is if somebody has recently somebody has Aadhaar and has recently authenticated using their biometrics to link their mobile phone sim card with their Aadhaar can they call their mobile phone company they have duty bound to the destination because it's entirely likely that you have you have one using the NUUP it can be checked started that star yeah we will yeah the QASM thing right okay so you have there are more Easter eggs you know so you're not done yet so if you have an Aadhaar and if you authenticate using mobile phone sim card call your phone company right now that's the message because you don't know what's happening okay do you want to get into the funny stuff Hanuman no no no not yet until it comes out we will think about we will talk about Hanuman when it comes out okay next has Geek Meera actually it's coming out when deaf tomorrow no tomorrow I think for the people who are watching the live stream this might be a good moment to repeat the actions that people can take if they don't have if you don't have Aadhaar we discussed earlier judicially it's still at the question which means the courts are still trying to decide the validity of the entire Aadhaar scheme so wait if you haven't got Aadhaar wait if you have got Aadhaar and don't want to link it wait if you have got Aadhaar and you linked it unfortunately you can do nothing but wait can you leave the country if you leave the country you have to cancel your Aadhaar but there is no provision for cancellation yes but you can't cancel sorry okay but going back so judicially it's at the question so wait legislatively there is a website called www.speakforme.in it's a a website where you can go there and you can ask your member of parliament to and it's a very simple process you just select your state and your constituency and automatically your MP's email ID is populated automatically the petition is populated and you can send it to your MP we are asking MP's to file what's called a rule 193 notice with the speaker requesting the speaker to initiate a short discussion short duration discussion on Aadhaar because we feel like in the context of all these problems Aadhaar should be discussed by parliament and the third thing that you can do is if you have Aadhaar then make sure that your biometrics are safe you can check how many times your Aadhaar has been authenticated in the recent past although you won't know from who and if you linked your Aadhaar to your mobile phone sim card recently call your mobile phone company and check if they've opened a payment standard also in your name without telling your word is that a good summary? yeah let me bring up one more question from the live stream since we discussed that Aadhaar is an opt out mechanism so the question is how much can we trust the tech even if opt out is enabled how can you be sure that you and AI is deleting your you can't you can't if you have facebook account and opt out mechanism without legal accountability there's no opt out mechanism and currently there's no legal accountability because citizens cannot initiate legal action under the Aadhaar Act so if an opt out mechanism if the timmar is heard an opt out mechanism is created and if there's legal accountability attached with that then perhaps some trust can be even if they create opt out mechanism will the vendors on the ground will let us have sim card without Aadhaar because that's a problem yeah I think opt out is a highly theoretical scenario and I think so part of the opt out and people who have designed email mailing list systems will understand this that if somebody unsubscribes from your list then you need to know that they cannot be re-subscribed because they are unsubscribed which means that you must save the fact that they are unsubscribed so bizarrely enough to unsubscribe from a list the list must know that they are unsubscribed and they must keep you on record and then refuse to re-subscribe you unless there is explicit confirmation that this was indeed an attempt at re-subscribing which means they have to store your email id yeah so basically that's the thing so they have to store your email id the thing is that if you think about it a little bit you realize that no you don't have to store the email id you just have to store a hash of it because if you can hash it then you can compare the hash and see it it is an unsubscribed already the problem is hashing only works in deterministic systems not on biometrics you can't do it on biometrics because biometrics are probabilistic so it comes down to this that you cannot opt out of Aadha because the technology to opt out does not exist the Aadha number would be hashed yeah but then if you opt out then you can go in and roll again and you put it in Aadha number so they have got themselves into this corner where they can't give you opt out the technology to opt out does not exist it's not been invented yet so it's a fairly interesting problem to have tube you have better success with that than this so far we have realized that there is one table of Aadha data in UIDA which has your demographic details and your biometric details now it turns out there is a second table of Aadha data which has your Aadha number and your bank number and then the banks again have their own tables as it turns out that's not the end of it there are more such tables the LPG table exists and the LPG table does not even check if your Aadha number is valid so you have fake Aadha numbers or disabled Aadha numbers valid LPG ideas and that's the Hanuman story that is the Hanuman story can you remember what it is in 2014 Lord Hanuman got an Aadha number it was in the news with his photograph with his Gada with his Gada so you search for Hanuman Aadha you will find the story as it turns out Hanuman has an active LPG connection as of last month as of last week as of last hour I checked it with his Gada with his photograph and everything on the LPG table that is also getting they are probably routing it to someone and the Aadha number is invalid it's been cancelled but the LPG table doesn't care it is invalid somebody is getting LPG Hanuman Aadha number that's the Hanuman story Aadha is really holy of course not Indians we have plenty of non-Indian tables and non-Indian entries didn't you sell it as a way to check for individual Indians and all that I agree with that sell is different but how the question that we have to ask citizens is very simple if you take any emotional construct this is basically my theory of working in industry for a very long time almost everyone wants their country to be good almost everyone wants their country to be the greatest and almost everyone wants their elected representatives to do something about it right this guy calls us agency or whatever agency thing they want it to be best in all so when when someone comes basically and says I can do all this for you and you see some other guy saying now maybe I can't do it because there are a lot of other reasons why I can't do it whom would you vote the guy who says I can do it all for you right but here is a question that you should ask how are you going to achieve it that is the story of other removing corruption and we have done like historically hundreds and hundreds of studies all around and I can tell you that on an average we have spent 20 times more money to remove corruption than the actual value of corruption and then the question you have to ask is is that not corruption that somebody paid correct and that's the story do we have the next big table oh yeah that's a big one all right so here are the other interesting questions that I think you should guys ask the other act explicitly says on a section that you are not supposed to coordinate right you are not supposed to cross reference using other okay you understood that right and what is the problem basically that means that if I have another number if I cannot say all these people who have criminal records belong to this not that suppose I buy the database table of the telco company insurance company that's not allowed that's legally not allowed except UID also does it except UID does it and that is intentionally so how many of you guys have heard about state resident data hubs SRDHS correct okay so you know what exactly SRDHS it goes to every so remember how let's start the history basically the thing is that states have always been doing the citizen programs like ration cards were a state subject so the state PDS department would give out ration cards and build their own database of citizens who are supposed to be on the ration card system and so on and before other there was no national population register it was only a state register there was NPR which was the project to fix this problem problem but not but NPR is the story NPR is the story so what happened is that every state has had its own citizen database these are obviously leaky because people cross state borders all the time so you might find a person who should have put different states population tables and there is nothing you can do about it because there is no way to fight out if somebody is missing because those databases don't talk to each other and you only update the database when something goes wrong so if somebody is not taking a benefit from you you don't know the fact that this person doesn't exist because it's not come up at all so the central government has been thinking of how to solve this way before other and one of the ideas was to say that the central government has only one comprehensive exercise where they tabulate every single citizen in this country and that's the census so the census which is the register in general of India we gave them this new project saying build the national population register which is a live database and not a 10 year database because this is the only entity that is capable of solving this problem and UIDA was created at the same time by different bunch of actors saying give numbers to everybody and do something to create this database by using database so NPR and UIDA became two competing projects in the central government NPR became the Home Ministry's project UIDA became the Prime Minister's project so people who know government realize that the Home Minister and the Prime Minister are two competitors because the Home Minister is considered one of the most powerful ministries in the country which is typically why you will find that Prime Ministers want the Home Ministry to themselves because otherwise it's one parallel branch of government in the Manmohan Singh regime it was Chidambaram running Home Ministry Manmohan Singh running Prime Ministry and Planning Commission most importantly Planning Commission Planning Commission was Manmohan Singh so these two parties decided that one will do NPR, one will do UIDA they became competitors and they became bitter competitors with the point of having fights and Chidambaram trying to kill UIDAs is well known, it's been on the record for a long time as it happened over the years they kept building up when Modi comes to power, he looks at this and says why are we doing two, let's kill UIDA until something happens and he says no, let's do it the other way let's kill NPR and put UIDA in charge there was in between a group registered meeting in which they decided 50% said you let UIDA work and 50% said let NPR work both work we will exchange data and build one population of NPR eventually so the thing is that whatever UIDA said about AVA, ASA privilege of separation not wanting to know details about people NPR had no such principles so they would go to every state in the database of people for ration cards you need to know APL, BPL AVO power line, below power line so you want that question you are not willing to accept a population register that does not answer this question or you want to know cast status what not so NPR was this compromise database where every state you want these answers go ahead in your data collection we will take all these answers UIDA said we don't want to have anything to do with any of this stuff it is not that alone it includes, there was an issue many states are opposing UIDA including Narendra Modi when he was chief minister it was mostly like a federal issue so in UIDA itself they wanted extra data to be collected and handed over to states but they said they don't want it states wanted extra parameters states wanted it and UIDA refused to collect it then they compromised which was Aarash Sharma's innovation KVF plus was to say so his solution to this problem of people and scrabbling over who collects what data and what fields they want was to say okay we will design our enrollment software to take all of the data that you want so the UIDA data is called know your resident KYR and he said we only want KYR which is name, date of birth and age and address and biometrics and that's it we don't want anything else about this person UIDA state wants it so this is called KYR plus you can add any extra fields in our enrollment software and the state government is a registrar that will do the actual exercise of conducting in our registrations so you get all these extra data which we will not get so when you do enrollment for other they collect everything for each state every state will decide which parameters they will collect and so therefore in those states we will not get another without diverging this exactly that includes your CAS, LPGID, whatever for instance the government is a registrar which collects the enrollment data so they separate it into two packets KYR and KYR plus KYR goes to UIDA and KYR plus has to go somewhere states do not have an answer so UIDA came up with a solution saying we will build a state data hub a state resident data hub SRDH we will give you the know-how to build your own database which is parallel to the other database which has only KYR plus data that we do not want to know about so we do not want to know all this information that the people is good but we will give you the technology so you can build this data because you are the elected representative you decide what is good for your people and that I will have UID so it has an enrollment ID because it does not have another number the problem is that enrollment ID can be duplicated because you can always go ahead and enroll one more time what is stopping you what you are saying is I already have an Aadha I can go back and enroll I get a new enrollment ID but my Aadha will get refused even if the deduplication is done because my biometrics match so now the problem is that EID by itself is useless because you can enroll multiple times so what happens is that the deal with SRDH is that they will deduplicate you and send an UID back to this SRDH and say we deduplicate it confirm that your enrollment ID is unique or it is duplicated it is called EID UID mapping so they will send you the EID UID mapping that says your enrollment ID is our UID in our database which is currently a violation of the other act sorry sorry say that again what does UID AI take the enrollment ID you should not share you should not share the other numbers but what they have done is to say because we had to deal with all the state governments for their state resident data hubs the SRDH will get the EID at the time of enrollment and then UID they don't have the deduplication technology UID also gets the EID because the same EID is generated for both parties other will deduplicate generate a UID or find the existing UID send it back to the state government saying your EID is our UID oh so therefore two EIDs have now been linked with one UID so that is for deduplication now the problem is that is not parallel other database everything on free UID everything on free UID is also in SRDH the only thing is extra parameters some extra so if you look at what they have actually done the maximal database on multiple state hubs you understood that 14 or 15 the numbers are so when you are getting in Aadhar you are actually subscribing to the state resident data hub which is not covered in Aadhar so you have no protection whatsoever under the state resident data hub now here is the most interesting question now I will ask you another interesting question for those who know a bit of computer science what is UIDA's claim that every time that you enroll are you using 2048 bit encryption which can't be broken it is all encrypted even the Supreme Court's decree was saying it is all encrypted now here is the point when you enroll you are giving KYR and KYR plus and you are biometrics UIDA only gets KYR basic data and biometrics but if you enroll everything and you are not sharing anything in the state how is the state getting KYR plus think through it what will you do with the encryption and so what UIDA actually does is it has two encryption keys every enrollment produces two set of packets one encryption key is with UIDA KYR and biometrics the other encryption key is actually provided by the state during the time of releasing the enrollment software so the state basically gets KYR and KYR plus and biometrics in some cases come back to that so in case you understand the RGI and NPR project both of them are running in parallel the RGI product RGI and NPR are the same UIDA were running in parallel both of them are supposed to give you multi-purpose identification cards but the NPR project basically said we will give you a biometrics smart card the biometrics smart card required a fingerprint to be stored as part of the smart card if you have interpreted the software where will the states get the biometric of the thing so in RGI states we know for sure or even in other states we know for sure using this dual encryption keys biometrics were shared during enrollment we have official documentation pros for it we are not talking anything about some website and all that official documentation from UIDA which later go deleted we are talking about documents we have tracked loads of deleted documents and you can just say wow right no they can simply go and change the act but within government they may be able to disclose if you read the other act clause number section 47.1 says that a court cannot take cognitions of any offense under this act unless UIDA grants it there is section 52 which says that anything that the officials do done in good faith is exempt from this act in good faith the words good faith is in the actual section that protects them from doing all of these all of this stuff because nobody can sue them for the fact that they have violated the act by themselves and even if they sue themselves no no so here is the interesting part of the other act right I am the guy who wrote the act I am the guy who can prosecute violations on the act and I am the guy who is also violating the act yeah okay and it gets better and this was passed by our money bell which has no court which the attendance during the time in parliament was 53 out of 540 okay no discussions barely meeting the decorum barely meeting the corum and the purpose of the other act is fundamentally to ensure that all the technological juggadu thing that they have done is fundamentally predicted from legal scrutiny I mean there is really nothing more to it yeah because they invested so much time money and propaganda into it that they don't want this to fail yeah precisely and here is the worst part okay if you understand computer science systems what is broken cannot be fixed and what is fundamentally broken cannot be fundamentally fixed do you want to live with this so what would it take to abandon the stomach what would it take to abandon the stomach hahahaha being optimistic the first step to abandoning the system is to stop forcing people who are not in the system I am actually asking what kind of catastrophic failure would it take because it has to end now what is that iceberg that it has to hit see the iceberg is going to be hit whether you like it or not which one is it let's think of if you do not hit the iceberg you need to first stop accelerating right now all the energies of our entire country accelerate forward you are talking about backwards no no what he is saying he is asking what is that data centers well how do I know I mean so think about this one scenario that I am worried about is a very deep surveillance of your everyday behavior whether or not your behavior is correct it is already normalized I mean look at UK nobody sits there worrying about the surveillance cameras anymore it is just normalized by the society there no no but I am saying that the surveillance is still outside you without her the surveillance is inside you the thing is that it has got to become a scandal until then nothing is going to stop it it is normalized in fact we are lucky that the government is rushing Aadha because it has made it a public discussion whereas the slow boiling frog system they have been using for so many years simply escapes scrutiny because you just normalize your life under Aadha actually acceleration is good in this case yeah so acceleration is good because it is horrifying people and it is causing a discussion to happen now unfortunately the problem we are dealing with is that the supreme court does not seem to be aware of how badly broken the technology is because the lawyers who are arguing in supreme court are not arguing from a technological perspective right so when justice decree says but it is all incomplete there are 13 answers that need to be given explain why that is a meaningless statement correct the point is the lawyers are not going in with those briefings and it is not for lack of trying we have been trying part of the problem is that this entire system of law is institutionalized by technology and does not know how to course correct so in one sense the supreme court is looking hopeless because of this that they may finally find an argument using the right to privacy judgment and not think about technology at all but the technology argument is so much easier this is just fundamentally broken technology also came up during the right to privacy hearings if you notice what happened with one of the lawyers he basically said giving a biometrics violates my bodily integrity it is kind of a dumb argument because you leave your biometrics and everything you touch like you leave your biometrics here here here here how does it violate my privacy probably one thing that could really scare people into saying this is not a good idea it is foreign surveillance or something where the other database is actually accessed by foreign yeah it has happened before no big deal it has happened before in the midst of the theory that this is all funded by the US and CIA no no you don't have to go you don't have to do stupid or conspiracy stuff you don't have to do stupid or conspiracy stuff I mean that's believe me when I tell you this right you don't need a foreign government to actually break into this system I mean you and me can do it because they actively publish it that is only what is going to cause some more what do you call a foreign government is doing this now I will tell you precisely what is going to cause your heartburn not the foreign government not this CIA stuff and not all this stuff right and you are talking about iceberg the iceberg that is going to happen is AC rules that is fundamentally not violating privacy because they believe in the half-baked technologies the government says government goes more stream more stream links every single damn thing in your life which is already not linked maybe to other and then you get into some kind of tricky situation with China maybe 5 years down the line for whatever reason whatever you call it they send two spies and one hacker which basically does a denial of service on the central other system irrespective of all that critical infrastructure stuff they talk about I know how bad it is right basically the country stops at a standstill that is probably what we are trying to do single point of failure but that point of time when it happens when it happens you would have bigger problems than the other database and that is the people die they are already dying in the context of this iceberg there is another important question that we should consider which is what does the government need to do to make our hard work is there any way in which a lot of back a lot of back peddling on the fundamental design decisions it has to be redesigned as a decentralized system ideally so basically what you mean is it is already partially decentralized with the state registries it is not partially decentralized it is interconnected the pause on all is multiple centers rather than being decentralized so you have to remove the central database then it becomes decentralized no these are all interlink these are all interlink so the fundamental thing that most people do not understand about the SRD hedge is that it is not federated it is basically two-way synchronized it is two-way synchronized in case you go to understand it it is two-way synchronized not one-way and if you already want to understand why you have to ask the basic question let's say you actually link all your others with your mobile numbers how does the URI know because you are putting all the stuff in your mobile number telco database how does URI know link it so that is the SRVAM project so basically what these guys have done is the state data hub is basically correlated correlated and it is built with one big database and across all the databases you can build an information highway and that is SRVAM and that is basically made available to the central government so it is basically not one-way syncing on EID UID it is basically two-way syncing and that is a part of people who look at it and say this is going to blow I have looked at it for the last one year it is going to blow there is no way the system is going to survive the way in which these guys are going forward just one clarification there why is it this extra data going to the center they said that they don't want anything they don't want anything at all there is another central project called SRVAM SRVAM why was it launched it was launched outside URI it was launched by DBT Bharat mission outside URI but I think PWC role is also that you mentioned so coming back to the Airtel so who designed the Karnataka refrigerant data hub PWC Pricewater corpus who audits other database leaks Pricewater corpus who designed Airtel Pricewater house who audits Airtel data breach Pricewater house corpus who runs the country that's the question I don't want to go into it and also I think it went itself they essentially about them the ethical, rather unethical behavior there was a parliament and such there is a whole lot of history that one is never reliable who controls that from so SRVAM project was fundamentally built outside of URI but what enabled the SRVAM project is SRDH SRDH think about it right if you have 20 different databases all having individual every single detail about every single resident in every single studio they have it's too easy to link connection database with everyone you need to have these two 20 together and then that is made available to the central government whatever they please and that's the SRVAM project it's actually named apt it's called SRVAM S-E-R-V-A-M is basically something that came afterwards the original name of the project is SRVAM S-E-R-V-A-M everything what are we trying to do with our that goalpost has changed over the years so many times this was the question somebody asked in the starting of the DVD I guess it was you I don't know I don't talk anything but driving you have driving license you have a plan purpose is our heart and that question has never been answered that's what keeps changing one of the things that we remember is that organisms like to live and it's also a group of institutions and entities entities like to live so UIDA at this point is fighting for survival and they don't care why they don't exist they just want to exist and while we discuss about data protection there is active discussions on how to hold this problem purpose limitation without even understanding this when you say UIDA you want to exist you need to say their work is done they need not exist they don't solve any other problems they are created to solve some problems they are not solving those problems so the question now is why does this department exist and why are they forcing themselves and everybody in this country and the only way to understand it is that they are existing for their own sake now existence for the sake of existence for example why they issued a gossip notification recently what power they have on what basis are they telling a bank whether to accept another involvement or not so why RB is over NPCA is an association of banks that is supposedly overseen by RB and it's an association that's owned by the banks so when a bank has a deal with NPCA or another mapper it's basically between them and their subsidiary and whatever rules are are rules set by NPCA as an independent organization it's a non-profit but it's a privately owned non-profit because it's owned by the banks it's not owned by the government now on what basis is UIDA telling NPCA to honor or not honor updates to its mapper and on what basis UIDA telling a bank to not send a notice to NPCA asking for an update what is the legal backing behind it where is the statute behind it nothing I mean they quoted some section of the other act saying that as per the powers conferred that's like saying as per the cover powers conferred by me to me by me through me only to myself how does it matter well they have quoted some sections of the act that gives them supposedly the power to do this I have to go and check what those sections say but it's interesting question yeah so this is the thing right so UIDA is behaving like a slave does UIDA come under RTL no yes they do but no because they refuse most of the answers by saying national security I mean that's been a trend pattern that we have seen so this is part of what speakton is trying to do ask the same question through parliament because there they can't refuse yeah but you won't get answers you are just wasting 10 bucks and some other department refuses you can go to the court saying they are buying things now the parliament and so if it looks like RTL which is okay which is okay which is okay which is expected that's the trick that we have done on the question and this is not the final word you can still charge and put a case against them so proceedings it will be decided yes so I suspect these things are already in progress they have just been somewhere in the court system waiting for a daily court challenges some really challenging UIDA and there are some other I will not even keep track of what's happening in court the number of cases okay what more guys you want to ask another I think one step should be repeated again yeah if you don't have other don't get it if you have other don't link it if you have linked other just be extra careful that's all there is the mobile phone company call you mobile phone company make sure you don't have to do that yeah if you have other do the biometric lock refuse to do biometric authentication anyway because it's not really required it's not mandatory according to the other act itself no it's up to the service providers service providers can choose to demand biometrics if you like it you won't have a choice in it it's up to the service provider but even for mobile phone linking and stuff yeah tiles allow them to do through OTP which is kind of bizarre because you are authenticating our phone number through the phone number so if you have the phone number and claim it is yours hey that's like your idea is suing themselves it's the same thing if you have other just ensure you guys just don't lose your phone number yes and if you do not have a phone number and certainly other add it because if you don't somebody else will put their number because there is no authentication the first time a phone number is added see that again if you have another number there is no phone number attached to it you can add a phone number to it without authentication because the authentication is sent to the phone number that you added it's like a classic bootstrap that was something I never discovered yeah yeah yeah let's not get him to talk and report it so some people have had since which they lost or went to another city and then got a new sim and that was linked to the other so what can those people do now if it's got another number linked to it enjoy screwing somebody else no I mean how do you unlink it and you don't have access to that number anymore because the practical solution is practical solution you can technically go by an enrollment center and ask for a data update give some 100 rupees and whatever you want so the problem is people have done this have been given you other numbers this is how the duplicate other thing happens that you went to a center to update some details and they end up discovering that you didn't match what they thought you were supposed to match so this iris guy got bugged was discovered like this that somebody went to update his details and wanted a new number instead so anybody who has Aadha must have a mobile number otherwise that's good so here's the question who designed there's an agency that designed the computer system the volunteers I had to go validate it the volunteers? national secret they should be asked into the RTA and they refuse to answer so do we know what the structure of this organization is like a some of it is known because it's documented software company have the red light team, the QA team no architect today and who is the architect the software architect Pramod Verma is credited as the architect I had a lot of interest we know this through his own linked profile otherwise it doesn't mention anywhere that he multiple people came to visit other so then it's not publicly so for instance one of the other guys who claims to be an architect is Vivek Raghavan who currently works at the CIDR but before UIDA understood operational security they should very happily publish all this information out there they have a block spot website there are two of them which has the entire rock chart of UIDA one is called UIDA help.blockspotletin the other one is UIDA info or something like that you go there two websites built by probably two different people because they got duplicate data but slightly different but if you think about it that's the thing so Vivek Raghavan who claims to be an architect of other on his linked profile who currently works at CIDR is listed on this block spot website as a volunteer and his actual job title is volunteer so here we can say either he was a volunteer or he was an architect but other than that he was a volunteer architect so is there a list of all the sites with photographer, wrong board, other are we just being fed they claim to have done their homework but it's all national security so their minds to call it national security because acting has like somebody that's the problem that's national security it goes through human eyes for whichever government agency handles security they have humans working but they trust those humans not to diverge information outside so for example I don't need to know who the person is but can I at least know that this person has has a background in cryptography etc so to the best of my knowledge nobody in UIDA has said background in cryptography I have not seen any of it so how about the cryptographic credential we can't say that after the document the piece will all come out in public it's clear to me I think for the people on the live stream 7 conversations will be really difficult sorry I just wanted to mention these are the kinds of things that we can file RTI requests about so you don't need to know the identity of the person but here is the thing at one point you mentioned that the courts do not do anything about technology I can tell you another case that happened there was only one who pointed this out the Kaveli judgement for example the judges do nothing about a simple thing like water flow rate and here we are talking about water flow rate which you should technically know if you are an extended science person I do not expect judges to know about cryptography cryptography even for a computer scientist I think is first of all at least in the US in the Bay Area they have lawyers who understand these things are there lawyers in India who do there are some actually but the point is that there are no junior lawyers ok, second question is there a person with let's say a proper theoretical computer science background who can demystify this to a judge in the Kaveli case there were actually bona fide civil engineers who seemed to be going along with the same mistakes so I am an ex engineer I today teach marketing I had to point it out to them this is wrong and again you are talking about things like cryptography database design these are complex computer science stuff so on your team at least for filing the RTI and the legal side is there somebody who can convey this to the legal team so one of the problems is the legal team is all based in Delhi and all the tech guys are here in Bangalore we have this problem within the defense of within the anti agar collective is that we are just two different camps and while we know each other and keep telling each other that this is what we should do it is not part of the strategy because the senior lawyers don't talk to us the junior lawyers have the deal with the seniors it is a very well known problem now with that the questioning of agar in court is not technically solved so now for example you give some cryptographic things about 2048 bit yeah I do not know what it means I am not sure too many people outside this room know this is exactly the reason they have been able to sell as a panacea so nobody understands what is happening in the communication problem but like he is talking no this is well acknowledged if you have an idea no I do not know it is a well acknowledged I will give you another case where judges are totally cruel as if you remember IPL2 was moved to South Africa and of course the DCCI and this is ridiculous right IPL it was big and I think one of the judges somebody said I wish you all the best I wish India wins the IPL that was actually said and nobody really challenged that that means you do not know what the IPL is in your past judgment so I think there is a communication gap where here that you need to it is not a problem of and sure all of you guys know your technical stuff but it is a problem of there is an organization in design problem on your side as well which you probably need to solve before you go after that yeah I do not think we are an organization necessarily we are kind of like a loose collection of loose collection of stupid forms loose collection work perfectly well look at the Lina Shriza groups they work perfectly well no but another challenge in this specifically is that the judiciary has been extremely difficult to get through too even the matters that are before them have been heard very very after long gaps that is okay that problem India will get resolved when the January 17 thing comes the question is what do you do for the final one see so here is the problem if you look at it most of the people the technology and it is always easy to defend the technology when the users have not been rolled out so that is the reason why it is a good thing it is rolled out and we know all the problems and we have now collected truckloads of documents so the only question that you have to again ask is are you going to go and explain all this to a lawyer what is simply for a lawyer versus you go and argue purely on the technology versus you go argue purely on the law and me I can certainly believe that this is going to be a lost if you are going to argue purely on the law and that I am very sure that I am 100% sure but here is the problem the catastrophic is going to come after the court is going to say yes there will be a lot of collateral damage we should talk more about single point of failure I guess see so here is the problem the catastrophic is going to happen there is no predicting it and the way in which I typically tell in terms of security to my team is look there is a 100 floor building and you guys have just jumped off from the 100 floor right even at the 99 floor these fellows are going to come and argue to me I am still alive what the fuck are you talking about okay this is what I call the immortality problem which is as long as you are alive you are going to argue you are immortal and I can't disprove you but after you are dead what is the point of arguing with you right so basically the main which I look at is the problem in software companies right it is easier because there is not a judiciary thing and there are people whose businesses are on the line and there is money in the world if you get it wrong incentives are aligned in terms of running a business here incentives are not aligned also people who have been specifically educated along those lines and here what you are basically saying is Sikri comes and says well it is encrypted and there has never been a rebuttal in the court asking what kind of encryption and the lawyer himself doesn't know okay exactly the point and there have been several such so forget about just the lawyer part I mean in terms of technology we will keep that aside but just look at the outrageous number lies the way since he told about 59,000 crore rupees saved saving numbers we have saved so many duplicates right but here is the point with that numbers right and lies are pretty easy and all you really read it was mathematics okay not the complicated mathematics but just plus and minus on 2015 you go and say that I found 0.4% duplicates in LPG on 2014 on the supreme court the government basically gave an effort about saying that they found 0.4% duplicates in the LPG scheme okay 2015 exactly 6 months later they went and told the government that we found 15% duplicates in the LPG database okay the net addition between the 2014 LPG database and 2015 LPG database is 1 lakh you understood the difference on 2014 the government went to the supreme court and made an effort of it which said we found 0.4% duplicates in the database of LPG guys okay 2015 to the same court 6 months later they went and told we found 3.34 crore duplicates in the LPG database the size addition between 2014 and 2015 is 1 lakh so for a net addition of 1 lakh in the LPG database how the fuck did you find 3.34 crore duplicates new of course right that seeded environment so it's not random people in the database so if you look at every single mathematical I mean then it gets even interesting in the media right financial express basically said Rajasthan found 2.33 crore duplicate entries in the ration database okay the net size of the Rajasthan PDS database is 96 lakhs but don't trust me because the net size the duplicate size is greater than the total number of duplicates before the duplicates all of it was 96 lakhs the total size of the database was 96 lakhs and the duplicates found in it were 2.33 crore okay no no here's one thing the communication between what is said and what is reported is very huge in my experience this one is based on financial express no no there is the same information in the court I mean you look at it it's a transparent lie and I can tell you the latest RTA that I got from meha so basically they said in LPG 2015 and 16 financial 2015 and 16 the total number of duplicates found was 3.36 crore okay which is anyway a lie but let's not get into that in a beneficiary size of 18 crores database size was 18 crores on 2015 and 16 they said 3.36 crores on 2016 and 17 they said we found another additional 3.31 crore duplicates when the total number of beneficiary size added was 1 crore okay so any which way you look at it I call this ffx is equal to random of x okay you're basically just pure numbers from 1 crore as and hope the other guy doesn't notice it but where is the engagement on that I mean none nobody is questioning them about these numbers right the only guys who are questioning them is me on twitter and a bunch of other guys in rithika and so on but where in the court did you yeah I think it is on the kalyani men on funnish on funnish in us who wrote that on funnish in us where was that question right and again first time it's question and they chose not to defend it and it gets even better the world bank lie where they basically said that we world bank so basically when we put the counter for shanty sanha and they chose not to defend it they found the counter affidavit which is very very rare and they said well world bank essentially said I work and save 10 billion dollars are you saying that world bank is also a compromised organization or something that they put on the court affidavit I mean I have it all right and then I went and looked at the world bank world bank report it said the total number of the value of subsidy subsidy transfers every year in India is 10 billion dollars remember the wording the value of subsidy transfers every year in India is equal to 10 billion dollars these bloody buggers essentially went and changed that into 10 billion dollars of savings okay for other okay and it was yeah yeah it gets even more interesting because I did it like a proper journalist I basically sent the questioner to world bank itself saying what the fuck are you talking about your bumps alright and they replied back by saying that oh these are the two studies and the extrapolated interpolated and we came up with this number I said show me the excel sheet we have shared everything what we could share last one security right right right I was like done and dusted done and dusted right and then even after exactly two weeks later right it was a big article on wire initially it was with old news no it came on wire yeah it came on wire September 15th it came right it had 35,000 views and everyone read it even Observer Research Foundation there was even prior to that called with world bank there was a call with world bank it was documented and the entire transcript was published in the article every single media organization read it knew it exactly three weeks later Nandan attends a conference on IGF two weeks after that there was a conference he went and attended about digital IGM product and then he said others saved 9 billion dollars and they are looking at it saying hang on does this have any correlation I mean 9 billion 10 billion 200 billion 2 billion 3 billion so I call it as the billionaire problem in the sense that because Nandan is a billionaire and he says everything it has to be billion and because people believe that Nandan is a billionaire and everything he says has to have a billion number show me one statistic that the other guys put which doesn't have a billion in it open challenge and by the way it was the fastest fastest 1 billion the fastest product or user fair enough that's how the typical stuff works this government has been applying with numbers consistently you file any idea about demonetization asking about different periods they will lie on record you ask them about the number of enrolments you ask them about savings this is all covered in the article this is all related to other they will lie on record but demonetization there was news statements the actual spending of incrementing demonetization it is no different here so here is the other thing that we are doing we are basically trying to come up with some kind of a cost benefit analysis and I can tell you off front on my head we have several billion dollars negative they have already accepted it not this this other this several billion dollars negative it has to be minus the savings from all that it is several billion dollars negative it has to be that doesn't account for the cost of privacy lost and things like that no there is one of the most costliest cities okay by a poor country which could have used the money to do 100 other things even with corruption I guess the runway would have been better so here is the point so far in my thing they have probably saved 6000 find up crores was the set up cost for LPG okay and set up cost and then other environment is anyway 20,000 crores so let's not bring that up let's think about LPG itself the average money they are saving because of all this is about 100 crores every year they are saving close to about 1000 crores okay so on a run rate basis they are already negative okay so in order to recoup the 6000 finding crores they are never going to set up it's a non converging function plus they are burning every year plus they are burning every year so the way in which I look at other is fundamentally a start up which is funded by government which is always making losing a lot of money that's what I said this year when you can stop funding your gamble this is a government funded gambling addiction and if you have to be just look at this year alone this year start they had 50,000 plus other enrollment centers then they blacklisted 49,000 then they had 35,000 enrollers remaining then the registered device strategy came then they closed down they moved all their enrollment centers into government premises then the device changed for registered device and all the new kind of things then they closed down every enrollment center and decided to open enrollment centers in the banks and as of now only 2,500 enrollment centers exist all over India you can imagine just imagine this also because some people like are trying to get the government with numbers like trying to get each state their enrollment is there and there are other people also working with them what they have done is they have deliberately stopped enrolling people in Aathav and this is legit one of my friends who is doing it in Bangalore he had to go and stand in the queue on Monday for 3 weeks because they give you 200 tokens on Monday even if you are the 201th person you won't get a token and in the rest of the 5 days or 4 days of the week they will process only those 200 tokens this is because the states have reached 100% or more than 100% that is not the reason there is a story how many guys have you heard about the fact about the ghost kid the ghost kid ghost kid how many guys have you heard about the ghost kid story here is the most interesting problem can a biometric be faked yes can I take your left hand and my right hand Kiran's left eye and my right eye and give this guy's address will it pass the re-duplication engine yes you got the ghost kid people have used it and people have used it and for close to 1 year you couldn't recognize it so it turns out that it was one of their own staffers doing this yeah this is the Kanpur case so it turns out that there was this thriving business of selling ghost kids where they were selling fingerprint masks of legitimate environment agents but on the black market so you could download others after yourself enroll anybody you want with all these mixmatch or biometrics use the fake fingerprint authenticate and they had no we just get another number you get another number remember every ghost number is gold why you can use it you can use it to link to everything so your bank account won't shut down but in case they don't track you they will never be able to find you but it's a fake number yeah and so this was something done by an insider in UDI and this was selling like hotcakes hotcakes all over the country okay believe me and I'll give this so think this is not movie guys so is this guy a volunteer this is even better okay so we looked at how the environment software works he has a domain called biometrics shop downloaded as it turns out the environment software you can download it from UDI's website you want okay do you want the environment software on your laptop I can do it today it's even downloadable and installable today and you can buy the fingerprint machine and it's a java app it's a java app right it's a java app it's very easy to decompile it is not even up first catered it is not up first catered it is not signed when you do an enrollment and this guy is encrypted so here's the problem when you do an enrollment I think that explains why everybody wants to be a volunteer because nobody wants to keep against something amateur like this when you do an enrollment with the software the enrolling agent is supposed to put their finger and scan their irises every time they do an enrollment so you do it for the customer who is working and you read yourself to prove it now as it turns out the server doesn't check your authentication only the software checks it so all you have to do and this is what the ghost kit was doing they disabled the iris scan part of the enrollment system true equal to false so they re-compiled the java file removing the iris scan part of the enrollment software removing the iris scan part of the enrollment software no no it is not that so basically how it works is let's say you download the software and you want to enroll yourself as some other guy the only thing that prevents you from doing that is I am the operator and I have to authenticate you as so using my iris and fingerprint these guys knew how to make fingerprint masks so they made fingerprint prints of thumb prints of all the operators fingerprint unique fingerprints of all the operators were found in the place where they arrested these guys but however these guys didn't know how to disable the iris so what they did is they said java software can be re-compiled re-compiled and patched so what they said is get iris match with local if match is equal to true if match is equal to false just went and changed that line and just put it in fixed, compiled so what this guy does is he will come and say put a fingerprint with the rubber thing and it will start he will put his finger, I mean this is documented, we have an F.A.R. copy for it okay and this has been going on for close to an year right okay yeah yeah this is a gift that can never stop giving right now here is the hard part right how the fuck do I tell this to the courts who is the document verifier in this who is the document verifier you make whatever you want and there is no authority because somebody else's fingerprint you are using and you know what they are sending the software for the software is 12000 for 5000 bucks the fingerprint is extra and so what happens is you got that software and you got a fingerprint also some extra fingerprint for 5000 bucks and everything now here is your opportunity how will you re-coup your cost you call annivar and say duplicate goeski chahiye kya 5000 so you see the wonderful integrated business model being built around all this fantastic stuff I mean it's mind-blowing so this incidentally is why enrollment has been shut down after a second in case you guys didn't know this is precisely the reason why after I reported this case enrollment has been shut down throughout the country so now only the government so it's limited to 200 people yeah because now it's now only the government all private enrollment is all private because of this case so in case you guys wonder what is the culprit and why you guys can never get an Aadhaar without standing in the queue for like 5 hours you know precisely whom to blame but in this case also you are assuming press that the bank operator is not complicit absolutely that also happens yeah we are not done yet okay so in case you guys understand what was the original Aadhaar case it is access bank yes so the bank is already complicit so one of the things came out last week so your document verification is supposed to be done by retired government officer or government officer who is the guest editor guest editor officer so as it turns out one particular doctor who is the guest editor officer has been verifying documents even though he had retired he was therefore technically not authorized to do it anymore and he had just been going on verifying documents certifying data saying this document is genuine you and I discovered suddenly that they were all coming from someone who is retired and therefore not authorized so they had to cancel all those Aadhaars saying documents are not verified now the point is what is the problem here is it fraud or is it not authorized they do different things now this could be just a retired official continue to do it as if he is not retired but doing it honestly or it could be fraud what's the difference everything and these people have no mechanism they just say everything must be fraud there is an interesting there is a mastercard paper which says existing Aadhaar enrollment process is fraud and only banks can solve it and that is their proposition and this is what the result is now UADA following that path by closing the other enrollment agency so they closed every single private enrollment agency every single private enrollment agency and here is the interesting part before closing they tried to move it to government government so 50,000 at any given point of time there were 60,000 private enrollment agencies they shut down every one of them after last month or May now how many people got enrolled using those 60,000 agencies which is 1.2 billion what happened how many ghosts are there so we don't know the ghost kid has been alive for close to a year we know that for sure another question which comes up nice sci-fi stuff now you can buy the enrollment kit in the tuker and you know what is the best part about the registered devices because all these enrollment guys bought all these enrollment biometric devices and tried to register now they are all being shut down right now what they are doing is they checking all those biometric devices that they bought and putting in quicker so you can basically buy them and here is the best part are they also selling the registered keys I bet yes because the standard device would not be registered registered so I am pretty sure if I go and say yeah this key is enabled or disabled now we don't know the thing is that you discover this you report it and you get harassed another question if anyone knows the answer to this what are your e-courses when the UIDI decides to disable your app Zilx at this point 85 lakh disabled 85 lakh disabled other numbers I know one known way which is fighting to promote Irma yeah yeah yeah that's a documented case that's a documented case 85 lakh disabled other numbers how many pan numbers they found were duplicates 11.2 lakhs for which the court essentially cleared pan other case saying yeah it is valid how many other numbers disabled 85 lakhs what exactly are we talking about in this country so the titanic is coming but the only question is are you and me are going to face the collateral damages of the titanic or the court will stop it or the court will stop it after the titanic is collapsed we don't know I think the only reports is that to reduce your attack surface dude they work very hard if you have a chance they have worked very hard to ensure that there is no attack surface but even linking other with love will work and in case you didn't know the latest thing even in Goa and paid sex if you want you have to get other the most interesting is the UP Act right I mean for all practical purpose the attack surface is in entire life I don't think you can escape it our cyber security attack model threat model is long gone question received on whatsapp if the legal challenge supreme court fails then how will the failures in the system happen so basically whats the iceberg I think it's a I think it's like a massive failure that gets covered that's plastered all over the TV screens yeah so personally I'm hoping disaster happens instead of a slow burn because slow burn will normalize the failure so actually I'm happy with the acceleration that means that the failure will happen yeah the failure will happen it is just going to get more people aware of the fact that this is a broken system website talk about it send people to speak for me make sure you have the argument because lots of people keep saying what is the harm in Aadha I think everything is the wrong harm in Aadha because it's so broken and the only way to do this is to just talk about it as much as possible discussion and debate discussion and debate never stop see the one good thing about India is we never stop talking right the unfortunate reality is that we keep talking about stuff that is not really relevant interesting there was a UP based Aadha based marriage registration so it is like you don't need to go to government office it's an act, it's a special act in UP, you can enter Aadha number of two people and then authenticate them and you basically get married and pay 10 rupees pay 10 bucks and you don't need anyone so and this is from UP and this is only for Hindus only for Hindus we are both Hindus can you just give me a mobile phone can you just give me a mobile number can you give me a mobile number I can give you 5 minutes but now this facility got suspended this facility of Aadha based marriage registration is temporarily available due to change in Aadha policy and new marriage registration rules the process is incorporated above changes in progress and online marriage registration will be avail soon how they shut down the service shit shit there are many you have to worry, divorce should be as simple as this it is not it is not but anyway, there are interesting state Aadha rags similar to this we know them all so here in case you guys don't understand the impact of it this is the reality just talk as much as you can it may be too late or it may be not who knows already I have a very hard time explaining this to my parents my parents are pretty pretty understanding, they say I am mad ok so parents are very very understanding why are they even trying to waste your time on this I mean do something useful with your life a lot of questions maybe you have somebody has encountered this scenario so the first time I was against Aadha for a long time but finally I went and applied and the application was not taken by the system that means I got the enrollment ID they said you come back after 3 weeks Aadha rags so I kept going back every time the system will throw an error that means the center has not received your Aadha packet there is the same error I used to get so even after 3-4 months the same error was there so finally they said we will cancel that and you re-enroll again so now I am asking whether this could be a case of duplicate enrollment so if it never hit the CIDR see packet upload problems are very common so what happens is your enrollment basically gets generated as a packet and stays in the local hard disk and if they are never able to upload it it never hits the CIDR and hence you will probably never get a duplicate other that is the best I can answer if it only hits there you said one more basically you get duplicates if you happen to stay outside those thresholds but if it never hits that is how it is so what happens to my first enrollment it got lost it is not that it is still in the system it may go to CIDR at a later point very unlikely happens a lot there were close to 1.2 crore other enrollments that Maharashtra lost because in those days we used to send it on a physical hard disk and the hard disk got lost half way and we used to send the physical hard disk on india post some of you might have of course some of you might have CIDR was saying the CDs are available in pirate market with the biometrics sorry you are asking some of you might have got a telecom connection using your Aadha let's say a Jio connection so when they authenticate they get the details from UADI and does that detail continue mobile number as well of course it did for a while but not now till Aadhares APA 2.0 it returned email and mobile but not now 2.1 onwards it is not it is dead mobile number was not returned for a long time it did but not now because people made a lot of noise saying why the hell are you guys giving this information to other people and secondly is there a requirement that when an authentication is done you should get a notification of course you should if your mobile and email is registered you should but I did not happens a lot OTP gets lost not OTP but the acknowledgement was used notification also gets lost if you go to the website and log in there and see it you will be able to see it except you can just guess that at this rate at this time I was at the Jio center there is no name that this was authenticated by Jio it is just random numbers I am talking about somebody using it there is a website which goes into all the authentication except you are made you can go check that it keeps it for last 6 months or 50 attempts but notification you should get it you should get it if you have registered your mobile or email ID is proper there you should get it you get a lot is it no I instantly had to use it so there is a problem I wanted to put it down like you means all of us are saying that we should avoid using other but in the practically no I think what this is if you have other you should use it no no if you have it ignore it and try to be careful that is what use it as little as possible because there is so many leaks in this system so the problem I want to put down say here it is that practically it is it is a mandate now in everyday life so recently I had a very urgent job at my home town where I needed to open so that line was on only accepted biometrics it didn't even accept anything else so I had no choice there so I had to scan it yeah this happened with Jio also where they said that they are only opening they are only giving out museums using yeah so what it was but now they have gone back so everywhere you were there they were already giving it operators it is the most convenient easy quick way and the chance of providing customers double authentication for example customers such as you who does not get sms you won't know if both were successful or just one and that's how in mp there was a huge scam where the operators were issuing double since to everyone and they were selling one on black market one to the rest this was throughout I think no but the three of them arrested for this case got busted there must have been others so recently I locked I locked my biometrics some eight nine months back and I tried to use it some three months back to get a gosm and I couldn't it wouldn't recognize my theory and then did you try to unlock it no I did unlock it it did not work it was still the same to you so that's what somebody said no unlocking may not work yeah unlocking does not work sometimes and here is the other interesting part right so here is the assumption part on biometrics which you have never covered do you really think there is a single body part in your body that survives time no right so a permanent ID with a permanent marker doesn't really exist and so yeah it's not modeled on truth it is not modeled on truth and so what will happen is they will keep forcing you to keep re-enrolling again and again on upgrading your biometrics okay what is the story that we heard on Karnataka's thing five years no ten years five years so the fact of the matter is this right your fingerprint does change over five years enough that the machine quality of the machine that these guys use is not able to recognize it and say it is you so we call it as a probabilistic you sometimes it is you sometimes it is not you so biometrics in phones work like if I give a wrong fingerprint and then I give the passcode then it learns that it is actually me so it saves the new copy and then builds on it so here enrollment and authentication are two very distinct operations okay and enrollment is fundamentally a very costly scanner it is at least what we call a slap scanner it has high resolution images and hence it is much more easier to capture your templates okay the one that you see on the lines and on the stuff is basically mantra systems which is 3000 to 2000 rupees 2000 rupees they don't even scan the full fingerprint they basically scan part of it part of it okay and it is low resolution right and every single guy puts it puts it puts it so there is anyway mechanical wear and tear right so the matching is worse because matching works best see the numbers they claim as two percent or three percent failures is when the same system is being used for enrollment and authentication quality matches a lot matters a lot but then for these guys everything has to be cheap got it so what they ended up doing was they gave this mantra scanner by very low quality and in image comparison quality matters a lot so what happens is even there is a small change the quality amplifies it so there are known cases where even people who are not able to get it back often so that is why we call it as playing dice with probability got play if it works so the question is does it does the chance of acceptance of your fingerprint entries as you use it more no because they are not learning because they don't do learning it's not a learning system there is no re-enrollment happening every time there is a failure okay because think about it if it is really the case then I can become you by repeatedly trying no all I need to know is the other number which anyway you will be very happy to give everyone gives it believe me when I tell you this should we call it an anecdote I would like to share one anecdote through my work we were working for an AAPS based system which is Aadhar Anubha Payment system and we were working with an I guess ASA who is authorized to have the Aadhar AAPS which can talk to banks and we were to build a system on top of it where a common man can use it for online payments for testing the system they sent us a physical fingerprint machine but then we told them that we can't test it because our accounts are not linked and our employees would not do it they sent us their own employees fingerprint files over Gmail in a XML format imagine the possibilities and it was sent to not one person but to team email ID why wouldn't people who work with Aadhar and with such sensitive systems where they themselves are dealing with the bank do not know the consequences of what can happen if you share your own fingerprint data why am I not surprised so finally we should go to speak for me.in and then take action ask her MP to say do something about it because there are only two avenues for it okay one is fishery and the other is legislature. Executor will forget about it and media is already compromised whatever media that is happening is all sitting here alright thank you guys and people on the live stream bye