 So, it has biometrics collection of all the individuals who are registered on it and it is not very secure, since data has been leaked, there has been instances on the internet as well like there was a famous one I remember from Twitter that I know Sony's data was leaked somehow by just using this one of the KYG documents. So, I got to know, means it is not very secure, brought into force of law, it is not acted upon, if any breach happens in security and it is de facto social security number as in the U.S. right now and it is going to be going, getting close toward that status in India and to get there and it is necessarily to make it secure because n number of things can go wrong with an individual's personal life is other secrets are there for other biometrics can be issued in India because now it is all leaked everywhere by red lights. The problem was initially when they said this is not likely, this is not likely. When I have a current, I have a license, I have a passport, this is not enough, I mean these were not enough that you had to bring in a whole new thing and then post it on everybody. That was the first issue I had, then of course the security and biometrics and all that. I learned data, that was not my first issue of course, but that you are posting something new when you cannot fix what is already there, that is my biggest issue with that. My issue is with, should I? Yeah. Oh yeah. In 10 people, how does it matter for you? So, main issue for me is cross-linking, why this, my relationship need to know which I am using, why does my SIM card need to know what, if you link them all through the same key and a table, they all become joints. So yeah, so I think it is also worth noting that other that how to mix cross-linking, of course it is, is even very, very good. How one can be sure that it is not being used? Is there a way to be sure? Maybe a hundred reasons for why I am opposing other, but when I am looking back now, the main major issue is the total spoil of digital consent and the absence of purpose limitation. So, it is affecting all data privacy and all kind of policy making in India? Yeah. Consent. Consent, yeah. The consent is broken in other. Actually, other is very powerful. And it is important for us to understand who actually controls it. It seems like it is an NGO and things, but there may be some invisible powers controlling it and that can be a cause of concern. So, more accountability? Yeah. Of course. Who holds what data and how is it being used? And why someone cannot sew it, you know, like, because it is like God to us, you know. Who is the God? That is a question. Somebody was comparing to social security. You guys all come in? So, it is easier? Yeah, it is easier. So, somebody was comparing it to social security, but you have laws that if your social security number is misused, you can approach the court and you will be paid some, some distinction in order to balance it out. And then you can sew companies, you can sew individuals. But what we have with UIDI, UIDI can sew UIDI, which is never going to happen, we all know that. So, that was the point when comparing it, like, there was no specific laws in social security, and social security laws, but they are getting the status of social security. Without the framework. Without the framework, so they keep comparing it to this, but they won't really go into the depth of how. There needs to be a framework for the case. So, but even if you had a law, how many laws in India need to be followed? And how long does it take to implement or actually enforce a law? But actually, if you have a law, it's an interesting point because the, I mean, everyone thinks that the law is one kind of thing. Actually, it's a collection of laws that you are doing. So, it's like you go to a hotel and there's a menu of several different kinds of food. It's all food, but all the food is not the same, right? Some food comes to you in a state that you can really feed it. Some food is brought to your table and then you can sit together before you eat it. You know, there's different kinds of ways in which similarly, some laws, somebody has to complain against someone else for that law to come into the table. The law being good, I mean, it being there, but in the case of our country, how many laws are there that are really enforced? No, that's what I'm coming to. So for example, if you commit fraud against me and I complain against you, I can use the force of the law to act against you. And I can ensure that it acts, right? Then there are laws where the state has to take what's called slow, moto cognitions, which means that it's a crime against all of us. So the state says this is something we must act against. So the state then ensures that the law is acted upon as it should be acted upon. The other act, the problem is that the law can only be called into action by UIDAA, by nobody else. And so then the question becomes even more exacerbated, which is, will the law ever be followed? It's like saying, I have to call the law into action whenever I make a mistake. So will I call the law into action against myself? Is Adhaar beyond Supreme Court or not? Yes, it is. Because it still acts as it can't be done. According to the Adhaar Act, nobody except the UIDAAI, sorry, no court can hear any matter connected to Adhaar except when brought forward by the UIDAAI. This is in the Adhaar Act. I think this is unfair. So what can we do? You can't report the crime under the act. You can only fight the act itself. So the act is unconstitutional, take that to court. Sure. I think that someone should do it. So those are ongoing cases. That's basically why the Supreme Court hearing has been postponed. And Adhaar again. And Adhaar is getting linked with everything. So every issue you have to… You have to wait for the next case. Actually I'd like to just kind of summarize what my problem with Adhaar is. My problem with Adhaar is on multiple fronts. If you look at how our state is set up, there's the legislative, there's the executive and there's the judiciary. Now legislatively, Adhaar is deeply flawed because it was passed as a money bill, which means the bill purposely supplemented Rajya Sabhaar. It was never debated in the Rajya Sabhaar. It was passed in a big hurry in the Lok Sabhaar without sufficient discussion. And usually money bills are reserved for matters of critical urgent importance. I mean, you have done this yesterday. So we have to get this done today. So let's not wait with you asking Rajya Sabhaar, which is actually the place where senior statesmen sit. And the Lok Sabhaar is supposed to listen to Rajya Sabhaar. That's why we have Rajya Sabhaar who has senior statesmen who will give us their politically wisdom. But that was the way it is. So legislatively, Adhaar is flawed. Executive wise, Adhaar is flawed because nobody knows who is executing on behalf of Adhaar. So UIDAI says we are not passing any notifications. We are just the people administrating Adhaar. Then you have the Ministry of Information Technology, food and civil supplies, women and child welfare. All kinds of ministries passing notifications using Adhaar to make something mandatory for a service that you need to claim under that ministry's jurisdiction. So the execution is all over the place. It's like, you know, everybody is, you are told that you go to the hotel and you get one meal. And then suddenly nine people are throwing different kinds of food at you. You are not having a satisfactory experience. So executive wise, it's flawed. Initially it's also flawed because there is no legal recourse for the person who is the most affected by Adhaar. The person who is giving up his biometrics, his eye scan, his fingerprints and his, you know, trusting all his personal information. Once you link everything, my financial information, my phone numbers, which is all my private communications, my health information, my, you know, my consumption patterns. Everything and trusting with an organization. And if that organization messes up, I have no legal recourse. That's kind of my summary that legislatively, executive-wise and judicially, Adhaar is like legal. And historically it messed up. Yes, yeah. Historically, I mean, people complain, complain, complain. And then a change is made saying, from now on it will be okay. And then people say, okay, the new system still doesn't complain, complain, complain, complain. And then something will be done saying, okay, now it's okay. And then again people say, well, with the brand new thing that you made, people complain, complain, complain. And then they say, okay, now it's okay. Finally, now it's been fixed. So the latest thing, of course, that we've been hearing about is this Airtel payments bank fraud. And this, as of this morning, the UIVAI has chosen to only selectively terminate our Airtel's EKYC for the payments bank business of Airtel. But it's allowing Airtel to still go ahead with the EKYC for mobile phones and verification. So does that mean UIVAI says that Airtel messed up big time. But only the payments bank part of this organization actually is problematic. These other days are good days, so you continue to do. What you did was wrong. So please stop doing the suspenderization. We anticipate you and then decide what happens. You start with your hands, okay. The issue is not just that, because whenever the tech people are getting involved and started criticizing, these people directed their whole tech documents over the time from the website. So yeah, it endures, yeah. So fortunately, thanks to aftekav.com and people who are getting the same. They will ban the site from the show. Here's the question. So when you say the Airtel thing is a fraud, is it really a fraud? Because they say it is. So here's how it happened. I understand the tick box and people writing their other numbers. I'll ask a different question, which is this, right? You didn't open a bank account. You're supposed to reduce subsidy on your HBI. And we're talking not about you or me. We're talking about people who are really living by 5000 rupees a month, for whom the 300-400 rupees subsidy is probably the biggest thing, right? In terms of... So my point is, isn't it by design that the Aadha, the latest bank account link to your Aadha will be used? Yeah, it is by design. But it's not your account. So the opening was, I mean, they put a different checkbox. So the design is... There's two parts to this, okay? Airtel opening a payments bank account is not something MPCA needs to know about. Because MPCA only cares about the Aadha map. It doesn't control anything else. No, because a net or an IAPS transfer is... Account number is directly specified by the sender. So MPCA doesn't need to know that you have an account over there. All it knows is which bank and which account number. It's only with the Aadha map that Aadha number plus bank is what MPCA records. Now, Airtel had no reason to update that line and say, Hey, the account is not with me. It's just an acquisition of Aadha. There is a point. But my point is, is it really legally allowed in the Aadha? Yeah, there is something wrong. In fact, also says that you have to inquire specific consent from the customer. Whether he wants to link it... Yes, it's not in my point. It's not in my point. These are actually about MPCA. No, it's not in my point. So what is worth? The UNDF believes it's wrong because the collection is 2.6 crore fine. So they have justified the fine collection on some basis. And we need to go look at the notifications here. On what basis are you collecting a fine? Because if it's not for all, why do you take a fine? And yeah, our NPCA, there is an APB mapper consent. So that means only from acquiring your... If you look at the post office bank account, there is a consent for putting your number in the mapper. So that is not offered by AD banks. So what is that sort of consent? You are saying that... I gave my other number. I opened the bank. That is first take. Which is what we call KVSE. I am making an explicit judgment. And me as an individual saying I want to open a new bank with Aadha. Can you see it's not there? Yeah, I know that. So with Aadha, first of all I am going and saying that I want to open a bank account. That is consent number one. Then the consent number two is not only I opened a new bank account, that bank account must now be linked with the other mapper, which is maintained by NPCI, after which any payment made to the other number will come to that Aadha bank account. So there are two levels of consent. So these guys never took number one, not number two. No banks, not just Aadha. And no one essentially takes number two. No bank essentially takes number two. Apart from the post service bank, no banks takes consent number two. Everyone updates by default. You are saying consent there is a form and there is a tick box saying Yes, yes, yes. Which is not... It is not only enough, it is not there. Yeah, I mean I saw that on my Aadha app and I was like... No, can I give you a comparison? You went to a shop and you wanted to buy potatoes. And you have said, please give me potatoes. The shop gives you potatoes. When you come home, you realize that they also sent you 10 kilos of onions and a car, which has been delivered to your house. Now you never asked for those things and you never asked for it to be routed in a certain way. So when we talk about the law, so we were saying, is it in the law? Is it in the law? The law is a complex set of instruments that interact with each other. So the Aadha Act is one thing. And there are rules which... There are certain bodies which have given powers to frame rules through the jurisdiction of the Aadha Act. Aadha Act allows actually. Aadha Act allows for using Aadha Act number 4 any other purpose not to be defined by the sect. Right. Yeah, but that's my point. The point? Actually what we should do is to define... Is it why... No idea, correctly define. Exactly. Exactly. Because it can... That much has been announced. Because of the violation of the law. Because that is the instrument, right? That is the point of Aadha Act. You are saying, hey, this is not in the law. We are going as per the law as state. We are being aggressive. That's fine. So think about it very differently in any contract. In any contract, right? The way in which any contract law works is that you have to read the contract. You and me are signing it, right? You opening a bank account or you getting a SIM card is fundamentally not just other act. There is a whole bunch of other acts also which says that let us think about it, right? Good old stories that you see in Hindi movies, right? Some guy is signing his property, one empty paper is being kept on the bottom and he signs it. Exactly. What do you mean? Yeah, he signs it, right? Now you can go back and say, oh, oh, oh, is it being covered by the other act? I mean, maybe or maybe not. But the fact of it, there is a whole bunch of other contract laws that are basically covering saying if consent is not taken while signing a contract people can... Even if consent is taken, A, consent is not taken. That is point number one. Even if consent is taken, I didn't understand what shit is this? So I signed, right? That is also a whole bunch of contract laws which you probably violated. So it is not just this, right? Other act is just part of... I mean, the other thing that you have to be very careful is other act is not the only law around that. Correct. That is important. Right? And just like this, there is no other alternative apart from E, KYC, stuff that people are going around and saying there is no other idea than other. Exactly. You have to go back and ask this question. This is not the only act around that has been violated. There are a whole bunch of other things that got violated. Sir, I just crossed it. It's an interim penalty, pendingly a national audit which means the charge will come afterwards. So we don't know if it is actually being considered as a violation of law. If what I am trying to do, we have the point. But if there could be technicalities, if it were left to me, I would consider this under section 4 to 8 and took my money without asking for consent. I think that we don't know which law they violated because nobody reported it so far. We haven't seen the copy of the audit itself. If people complain to the LPG ministry, there are people who complain to LPG ministry for their LPG subsidy going to Airfield Bank account which is not in their control. So that's an LPG ministry should preferably stating that this much money went to Airfield Bank. That's how it is connected. All these oil companies complain. Yeah, oil companies complain in their case. So we just want to get to the technical details of how this thing works. Before then there were a couple of questions in the last sheet. Sure. So first one is, this person says it's actually NTCI mapper with Sura and not Airfield Bank, opening of an account without consent was when Airfield Sura, they asked for NTCI to cover up, they have restored Airfield Bank and a minor final. Is this a cover up of data in power of Sura? So the NTCI mapper has a technical design issue which is what caused this problem. That it does not require consent in the NTCI mapper. I think you should get into that. So there's something that came up in a live TV debate I did a couple of days ago with AP Photo was the previous CEO of NTCI. And it's something you are known from the NTCI operates but he admitted this on air. And he said that essentially NTCI operates on a good faith basis. If a bank claims that they have your account, then NTCI says sure then you must have that account. They don't check. They don't check. That's it. And that's basically what ATL have used. They use this good faith basis to say okay we have opened an account for this person who didn't know that they were opening an account with us and you also want substance delivered here. When NTCI says sure, you are a bank, you are a member of our association, so we believe you. My question, I would be In looking at this. Some shady website where it is like this is a free thing and in somewhere under the condition it says there is a monthly charge of $35 or whatever. So ATL has a charge of 0.75% to withdraw the money. Exactly. So they are doing exactly what that says but if there is a law that says this is wrong. Of course. That is a good idea. The contract law. So forget about you and Adharat. Okay. Think about this contract law. You and me are employees. I am basically coming and saying I am paying you 10,000 rupees a month for services rendered or whatever. And somewhere along the line after you sign but added some more deductions and stuff like that. I mean contract law basically comes back and says no, you can go to me and say no, I didn't even sign up for this. And that's all there is to it. But here is the important part, right? Where it gets very messy. So let's say I did this stuff and you can go and sue me on a whole bunch of labour courts and other places. However, if it is a crime that is committed where an Adhar number is involved, the only people who can sue me is Adhar, is the UNA. Not you, not me. And that is where it gets very messed up. So without this, what will happen? Who can? If they choose to. So they who can sue you and they need to would be different. Who can if they choose to? Is even worse. So fundamentally what it really means is that if you are a person who got cheated because of all this, you can't sue me and you have to go up to this third party who is basically running his entire state and he can choose not to listen to you. In which case where is your recourse? Also the customer care for a service which is going to 1.3 billion people is just one phone number which rings in a call centre and they are not obliged to help you with anything. We can just say that we have taken down your complaint and we will power to do concerned authorities. We don't know who the concerned authority is or what action they are taking on. They mostly can replace. There is. It is not even the registered complaints. I just like to bring it back to what Kiran was saying about the MPCI what you were talking about going into the technical details. So basically the typical way a bank transfer happens is if you have an authority like RBI which manages NEPT or MPCI which manages INPS the basic assumption always is that the sender of the money and has an account number for the recipient and it sends it to the routing agency saying here is the bank's ID and here is the account number in this bank please deliver the money to them. So that is really how transfers happen but you provide to piece of detail and whether it is RBI or INPS which is MPCS or Swift or Swift or all these mechanisms they work like this. What these people have done with the other mapper on the other hand is basically two levels. So now NPCI has one table called the other mapper which has other number and name of the bank but not the account number and the bank has another table which has other number and account number So what happens now is now when you transfer money to an other number you send it to NPCI, NPCI sends it to the bank the bank is supposed to figure out who the actual account number is if they made a mistake and the bank receives money and they don't have another number we don't know what is going to happen maybe this goes back, maybe it doesn't we don't know so this is an ridiculously stupid design because you can't control where the money goes any words you have to put two different agencies second thing is that as a citizen I have absolutely no access to NPCI system I can't choose which bank I want to use only the bank can decide this so bank multiple other bank but if you have multiple accounts in the same bank there is no defined manner by which you can use which one is the opposite of these what about other banks where I have one other number and multiple banks latest so the hack is to say the latest one will get it so one of the things that they have done here is now you can see that you are essentially removed control from the user at least the center knew where they were sending the money so it doesn't make sense you said NPCI has only Aadhaa number and bank name or the bank institutional identity number IRA and so on that is pretty wrong now if I that happens a lot now if I have where does that money go so the problem here that happens sorry I just want to finish my presentation if I see Aadhaa number in bank A first then in the NPCI map per table next to my Aadhaa number if I see in bank B next automatically this goes so it's just in a sense just changing the name of the bank that's why money should be sent and after that after the bank to decide which account it is I think there are two kind of APS one is with the IIN and other is without directly to the account number so APS have two different gateways the default one is just Aadhaa number the default one is Aadhaa number and account number all government subsidies don't bother with the IIN number in fact there is a law that says you are not supposed to send the IIN because the NPCI rules specifically says that for subsidiary transfers you must not specify the IIN number you must only specify the Aadhaa number if you specify an IIN number it requires to be rejected that is for the overdraft hook the overdraft that's to ensure overdraft overdraft so now one of the reasons why NPCI came up with this really bizarre architecture is as part of the PM's Jantan Giosina scheme anyone who has only one bank account that does a maximum turnover of 1 lakh in a year is eligible for an overdraft of up to 5000 rupees now overdraft is given by the bank where you have an account which is kind of terrible for the bank because they are giving you a loan with no assurance that they will get repaid and no security because Jantan Giosina accounts are also with minimum zero deposit accounts so for a bank to be able to give it an overdraft the government gives you a guarantee that the subsidy will come to your account it's like a future sale it's like a lane on your future on a future subsidy delivery what they call a day zero loan a day before your salary you get a loan yes and NPCI is very limited 5000 bucks it's not a lot but it gives the bank so think about why this architecture came because if you look at it every bank that opens a court banking account which is what called CPS account incur the cost of 50 rupees 100 rupees or some number there is a license fee for it if most of the banks run the court banking system that's a license fee associated for every bank account and manage big board banking it's basically 500 bucks or 50 bucks or 100 bucks I don't really remember it it's basically a license fee per bank account per year now think about it if you are a bank and someone comes and says I want you to open 100,000 Jantan accounts with zero balance and you are like hang on my cost for that is 5 crores where will I get that money so there is a cost to the bank and they are not very happy about it because they are not going to get anything out of it so the way in which these guys ment and told them was that look if all the subsidies are coming to these zero balance accounts you basically get some money which is the savings account you can get some interest on it by lowering it to someone else and normally that now you have an option of giving overdrafts we will also come to that and overdrafts are charged at 18% 12% or whatever it is the extra interest that you get is fundamentally going to balance out the cost that you are going to incur on a yearly basis so the entire scheme of Jantan Yodana has been that A. open bank accounts B. give subsidy to those bank accounts on a very regular basis and cover the cost of the bank for doing zero deposits and then finally ensure that it is overdraft as possible now the moment you bring overdraft as a possible thing so here is the point why the subsidy is not paid to the bank account but to the other holder you understand right? where you have an overdraft if subsidy is directly paid to the bank account tomorrow you can go back and tell it to him that no I want my LPG subsidy not on my SBI bank but on ICSCA bank in which case you have taken the overdraft then the bank loses it let's say you took an overdraft and you walked away what will the bank have bank had nothing happened what this guy said was subsidy must always be paid only to the other number and if it is only paid to the other number who is going to hold the mapping between the other number and which bank account it has to go to it is NPCI as you can guarantee that if the bank says you have given an overdraft then nobody else will give the money wait so let's say it is a lock on your account so basically it was decently well designed I would say for that particular problem so basically that's also arguable but 2 points 2 points that struck me so actually right now it is in the interest of the bank to be the last account exactly so actually banks need you to go slowest of their account but faster than other banks so that your seed is last and therefore all your business close to that bank and number 2 something you said last what did you say last lock lock on overdraft so so let us say that I am the last bank so then what my question is if I let's say I am a Jan Dhan Yojana operational account and I have taken an overdraft correct now if I see some other account after my Jan Dhan account it will not be locked so every time you take an overdraft so what happens is the bank it's again about the control of the bank on the mapper so what you have to fundamentally understand is you as a user or an account holder do not have any control none whatsoever on the NPCI mapper for a specific purpose a specific purpose was to ensure that you do not take an overdraft and you walk away and hence the right axis on the NPCI mapper is fundamentally given only to the bank and not the end user now this is precisely what Apple has abused you understood ok and what happened is let us say you are one of the the right axis is given to the bank without corroborating consent exactly that is important so the banks are that way and banking is not a fake based interest banking is not a fake based interest particularly we are talking about loans Bhagawan paper or something so if you also this concerns people mostly like us in this room who would have more than 1 lakh of transaction so we never need that so it means it's changing all the time whenever we do something with the bank another thing now is that a payments bank by that license is not allowed to give you an overdraft right so there is no point in them being in that damn mapper because they can't give you an overdraft so what's the point of Jandhanyu and Payments Bank they are not connecting so finally what happens is what he basically says is at a payment bank or any payment bank has no business none whatsoever to have right axis to the NPCI mapper because they don't give you overdraft but the other interesting thing is in order to take money from the payment bank by cash you have to pay 0.65% or 0.75% share who gets that money? Airtel charges you withdrawal fee of 0.75% 0.75% and there is no terminals there are no terminals where is the ATM for Airtel payment bank it's not like eating in an ATM you have to use the bank you have to use the bank it's the other bank we talk about they also have stores where you can move it out so you can go to the Airtel store but mostly mostly that won't work because in Karnataka at this point it happens in Karnataka when the government subsidized farmers subsidy into supposedly Karnataka bank accounts of farmers it reached the Airtel bank account and in most of the rural Karnataka there is no Airtel so then government didn't rupees one transfer before the next transfer to ensure that everybody gets a subsidy so and ask them to confirm they received 1 rupee then the next major Kishu was the farmers movement said why we received 1 rupee subsidy I heard this whole story in last June in last June I heard this is not a story that is told by newspaper this is actually a story told to us by the person who is operating the scheme in the Karnataka state government it is also a news it is not as big a news as it should have been the point is that people only notice when they are the ones who got got impacted and last March last March the same story I heard from the NRIGP yeah and also another thing about the NPCA mapper most people do not realize is that if you look at MNRIGP the Marfa Gandhi National Rural Employment now that also requires direct delivery into your platform previously they used to do left transfers now they decided to do other maps and so now the job officer who is handling our work goes around asking people for the back account numbers takes it down on a piece of paper goes uproach it into NPCA mapper and thus data entry errors they have something called consent camps consent camps consent camps like a concentration camp so in which every bank will come that is interesting so in that all the banks will come the adhark consent is taken the mapping consent is taken because there is practical issues because every bank will not have the rural banking person in that area bank correspondent will not be there bank will take the consent which may not even have local presence so along with that there is another thing happened as earlier people used to track the money delivery to the person by how does it reach his hand for example the post of his delivery and similar kind of things but now with cashless it is going to some account on his or her name so so it doesn't know individual have a passbook but he don't know which bank is going and in many cases banks will not have a business correspondent in that area so they may have to figure out new contracts and appoint the new person and they need to go because consent is taken earlier and bank account is open on the fly so think about this very differently right so there are two parts to it one is direct benefit transfer okay which people believe today as if it didn't exist before okay so the fact of the matter benefit transfers has been happening for a very long time without Aajar and the way in which it used to work is a very simple thing which is I remember it explicitly when the LPG thing came because it came and said can you please give me your bank account numbers for the LPG ID I don't have an Aajar so when LPG thing came all the guys came and said on every scheme you please come and tell me give me a bank account detail you see it and you are done it will keep coming on its own so the distinction is that I had control I will precisely come and say that look this is the bank account in which I want my subsidy to be given and let it say tomorrow I want to go and apply for some scholarship and I am eligible for getting some 10,000 box scholarship and here I will go and say that look this is the bank account and he wants direct benefit transfer to happen I don't have a problem with direct benefit transfer as such right the problem happens is when you come back and say look you are going to add stuff like financial inclusion you are going to add stuff like how will the bank make money you are going to add stuff like overdraft you are going to add stuff like how do I manage loan locks okay and then finally you create such a system where the system is more tuned towards these fellows which is banks rather than the person who is supposed to receive all his money and I mean for most of the people who can afford not to get an LPG subsidy like me it's perfectly fine I am leaving it out for a very long time but you think in terms of what happened in MN Raga right the National Rural Employment Guarantee Scheme earlier they were paid in cash when the whole thing started into one regime I mean as you should have written with corruption some guy will take some guy will not take and all then they switched to post office accounts which was far better way because at least there was some kind of a guarantee right and then they switched to bank accounts and then put his overlock lock and overdraft and all that kind of stuff thing it basically allowed every single bank in the system to say no I want all that subsidy of the guy here on my account so this is where the NPCA mapper you know understood how the abuse pattern spreads all around right and at the end of it if you personally ask me I don't have a problem with other mapper okay I mean apart from all the other security stuff in terms of DBT but you I mean in my personal opinion I'll give it to you whatever you want but privacy is not as big a problem for me compared to all the security defaults and the disaster it creates for welfare okay you look at it at the end of it you are basically creating a system which is not empowering people to get what they are entitled for right disempowering disempowering them and I think that has been a fun and if you look at it why is because when you shut it off I have no problems with the DBT itself but when you add it is over overdraft how will the bank make money how will I sell insurance product for this fellow and all that stuff oh bank has to make money then who has to fund this direct benefit transfer if think about it very differently if the PM Jandani has nothing if the Prime Minister has gone back and told that okay I will fund that final box or 300 bucks code banking charge whatever you keep it I think the problem will have taken care of it by itself so if you look at traditionally what happens is there is a cost associated with all kind of welfare schemes okay and the cost is too high for government to put it on the finance ministry's budgetary note so they try to say it is free and try to spread the cost to various third parties like banks third parties and banks and service providers and those guys also can't take that cost so they try to spread it to the actual person who is supposed to be benefitting it so free for everyone who starts free for everyone who starts initially and fundamentally everyone pleads for it point you made about privacy and security I will say the problems with privacy are there because there is a problem in the security if somebody has my private details and can keep them safe maybe I can live with it maybe I can live with it if you don't have the other part is also not understanding privacy in the first place yes for instance and this is actually a problem that is a lot worse in the US because I don't know how many of you familiar with the US banking system yeah so you know that in the US if you have somebody's bank account you can take money from it yes so one of the most common types of fraud in the US is somebody trying to give you money because the moment you give them a bank account number to deliver the money into they take money out yesterday so it's kind of ridiculous how bad their system is because people are afraid to get paid from people they don't know so instead they send it to PayPal or some other mechanism that's why PayPal works so well over there that their fate in the banking system is that broken it's zero they have that problem there and what we've taken that is taken the same idea and said if you know somebody's other number you can claim to give them something right because there's no validation of the fact you know the other number is considered as all that is required to claim that I've given you some benefit and you can actually do that you can put someone's other number and send them money whether or not they want it and Google takes consent for this they take consent for anybody to associate the other number with your Google account I didn't remember seeing that I think for people who are watching the live stream that might be a good point to just stop and say if you want to resist the other what are the three things that you can do well one is ignore all the notifications demanding other because they have no forcing law until March 31st until March 31st there's a stupid quote here on 17 January so the story will change in January so don't worry about it at all do not respond to anybody demanding on that all the smaller cases try to everything is going to based on this one judgment everything is tackled the same everything is all tackled the mother case every single thing it's one constitutional bench so it will pass orders on all those things all at once that is 17 January starting date so it will obviously stretch for several weeks it is not a simple case so judicially wait do not link other things if you don't have it don't get in legislatively parliament is in session right now and this is the time for parliament to act discuss other and so a couple of weeks ago we launched a campaign called speak for me which basically asked people to petition their MP w w w love speak for me so you can go to the website it's got a template email if you tell you the game of your member of parliament all you have to do is get the same button and open your own email client so you sacred it yourself it is pre-filled for you and what we are asking for members of parliament to do is to buy this under what is called rule 193 asking the speaker to initiate what is called a short duration discussion about Aadha because I think the reasoning is that because the Aadha act was which became the Aadha act was passed it was such a big hurry there was hardly any discussion about it but now that there are so many problems already already 23 in this week the session have asked questions connected to Aadha ranging from the Biju Jantadal to the Renewal Congress to BJP members themselves several have asked questions related to Aadha about nine MPs have already filed rule 193 notices asking the speaker to initiate a short duration discussion about Aadha who are those MPs I have the list we just posted an update on the list there will also be a detail sent out if you participate in the campaign all the emails are not published on their website later you are sending it to MP right so this is not a try right you are sending it to MP maybe you are really sensible we don't know let me check no I don't take the Aadha so if you go to recap if you have faith in judiciary wait if you have faith in the legislature go to www.speak.in and petition your MP it's a really simple process you just select your state your constituency and there is a letter that is automatically addressed to your parliament send them that letter asking them to file a rule 193 notice asking the speaker a better way of reaching the MP you are free to do it yourself you have his phone number you don't him directly you know him for some time just ask your member of parliament who you voted for to discuss an issue that concerns you that's two things the third thing well if you have faith in the executive good luck right now we are maintaining the Aadha system to consolidate it's supposedly access to the national disaster so part of the way you know I think it's safe to say this is a disaster so part of what is going on in Aadha is when it was first conceived and the budget was originally made the expectation was that it's going to cost a lot of money to build but that money is lesser than the amount that's going out in corruption and so the promise was that if Aadha is built and it works it will reduce corruption by so much it will save so much money for all of these various departments and that money can now be used to pay for Aadha and if I am not aware of the fact that it's coming from the consolidated fund of India so if it is then this must be why because it's meant to come from other departments that are saving money now see the consolidated fund of India is basically the fund in which all expenses and income from the government comes and goes it is like so think of like a household right I mean you have a household yeah you have a household right you have a household and whatever expenses that you are incurring on the household and whatever income that you are coming on the household is basically coming to the salary account or one or two accounts I mean think about it very differently so consolidated account of India is nothing but think of India and Indian system as a budgetary thing and whatever the government spends and whatever the government borrows and whatever the government earns is all going into the consolidated fund of India that is the way in which you look at it so if you remove the consolidated fund of India there is really nothing called economy at all for the government that's the way in which you look at it so if you come back and say what they merely said is for anything and everything that matters on consolidated fund of India that is basically the key that is all it really comes down to but in the question of course you have to ask is a very simple question which is what SIM card got to do with consolidated fund of India because the last message is coming from my pocket what about the fundamental issue is that technology is seen as a punishable every evil that is and then not understanding what technology can do and what the risks are it is just like oh there is this normal technology which is like the drug for all diseases and that's what we should do because technology can't be corrupted I think that's the idea but there is an entire field of study of this it's called solutionism so Kiran has written some very interesting articles recently what about the difference between public information and private information and secret information and in that he talks about how we divulge our private information to other humans based on trust but you don't know whether you can divulge right you don't know whether you can divulge there is a private information to the device because there is no trust between the device and the human being actually not quite that this is an early internet problem so follow what's happened is what the internet has done and this is starting from the early days of the web in the late 90s onwards normal society has three registers if you are roughly operating on this secret which is confidential stuff that you do not want to share because if you share there will be consequences to it there is private which is things that will tell people around you with the confidence that they are not going to go broadcast it to the entire world so any conversation you have in normal life is private in that there is some reasonable base on which it trust other party to not write it down and put it in the press and there is public which is meant to be published and you don't care about the consequences of being published because you are looking for it to be published you are probably worried about not being published rather than being published the private register is the nuanced one it's where the context in which this private conversation happens matters a lot like if it's two people talking to each other in an isolated room it's private to them which once I was talking like this it's private to us except it's not live stream so it's also public we are choosing to make it public if there was no live stream I would probably be a lot more confident saying things that I don't want on the record that I am okay with saying morally so the private register that's why we also introduced ourselves in the room because it's a kind of social contract except for a mystery man who didn't want to introduce himself this information is private to us so yeah so the only thing with the private register which is this midpoint between secret and public is that it's not one point it's just entire range of behaviors that deal with saying what is private over here but one fundamental definition of private here is that it is certainly not secret because secret is something you define explicitly as secret saying I will certainly not share a secret in this room because that makes no sense what I will do here will be private because I can't control what happens in this room a password is secret a password may be shared may be two people share the same account so they share a password may be nonsense that's fine but it's no limited to those two people so private is this thing that tends to not travel because of the memory which is done like spoken word conversations don't travel because nobody is recording them or writing them down and saying I will publish it like the way you said it the problem is that the moment you go online there is no private anyone you can do secret and you can do public on the way become the private now this has been a problem that has existed for like 20 years now 25 years and it's something people have tried various is to solve it with Facebook for instance gives you controls who can see your updates like you can say this is the private post nobody can see it you can say only my friends can see it only the people I select can see it and so forth or public anybody can see it even the Facebook does this it can't really control what happens after it's seen by someone because text you can copy waste it even screenshot it so on the internet private as a technological mechanism which is completely broken it doesn't exist you can do various transactions to prevent it or you can depend on social goodwill and saying that you expect good faith in the way that people keep private things private if you can't expect it you get something like DRM which is this other horrible branch of technology that aims to solve the privacy problem but saying this video is private you can't copy it so the other number now is by design private not secret unfortunately I think it's important to define that private in the sense that not everybody should know it people who need to know can ask to know it but it's not secret in the sense that nobody can also know it so it's halfway follow up on that so what happens what is the other number so let's say I have a service provider I am probably a job site operator I've got a problem somebody didn't show up for work and I am missing my quota so what can I do now I am supposed to show 10 people only 9 people are here I can put a fake number I can put a fake number who is going to check now obviously if this fake number turns out to be part of the country I am in trouble can I put a fake number of someone who is plausibly in this area and he is not going to bother to check now that's the problem see you can generate a random other number and hopefully hit on one that is valid and put it in the database but you want to be extra sure you should find someone who is a good suspect to put on and say I gave a benefit to this person so you can do that if you know the number of someone so that's the problem you can't leak your other number if you have views like this against you somebody will claim to give you a service even though they are not giving it to you that's a dbtl catastrophe another scenario is how many people in this room have how many people's phones are completely unlocked so if I got access to your phones if I got access to your phone right now I would swipe up and have full access to your phone now imagine I have that and I have the odd number what do you think I can do I can own you wanna try I can own you oh yeah but what if you do so here is we can move your money we can change your passwords we can open your bank account we can get views in cards and give it to actual terrorists you know we can the possibilities are that's the thing most people I don't think understand what happens with my when my other number is shared I do not see many people understanding people keep asking oh it's just a number this is a great point I think this is a great point to bring in people who do have already what do they need to do one is locker biometrics there is a website can we put the link in the comments or something there is an option there to locker biometrics so there is a link in the live stream there is a link in the live stream so lock your biometrics that means that nobody can even if you put your fingerprints on that scanner or if somebody scans your iris it won't work because you have told BYU I am not going to use my biometrics to authenticate anything that's called biometric lock the challenge I have seen in real life one is that even if you haven't locked your biometrics a lot of time they won't work but that's the biometric side of the problem the other problem is a lot of I have seen a lot of instances in my extended friend circle where they have locked the biometrics but they have had problems unlocking or even after they have unlocked it it's not working maybe it's the extension of the first problem yeah it is the next extension of the first problem or we don't know whether the technology works at advertise or not so there is no way to verify that is another huge problem there is no audio and all the linking infrastructure asks for biometrics all the time the other thing that people with can do is even if you haven't locked the biometrics if you are going to present your fingerprints and whatever do it only once it doesn't work it doesn't work this is the first time by design the first biometric interface we know that it's in the specifications why is that so here is the interesting problem this is the database of the billion entries are those billion living people or dead people how many people have died since they enrolled in Aadha we don't know what is the death rate in this country so you can look at the environment rate and do a correlation and say there are two million tens of hundreds of millions of people who are with other numbers and dead and will never authenticate again now there is a data center that has all these other numbers sitting live and the moment you do biometric scan it's supposed to look up your record and check if your fingerprints match except some of those records will never be used again and the only way they are going to never be used again if it's not being used for a while so one of the things that UIDA does is that they have a three year deadline that says that if your other number is not being used in three years it will go into government work and they will move it to cold storage now you come back after three years three years and you put your fingerprint fingerprint it says hey you are not in hot storage so wait at the left side wait at the left side so if you have not used your Aadha in the last three years yeah but we don't know if it's three years it could even be six months or one year we don't know that it's a great way to teach the good architecture it's a masses how do you say it is great suppose I just used it yesterday yeah then it should work technically it's a cash but what Kiran is saying is that this is part of the design of the Aadha the design of the system is that the first failure is normal it's okay to fail the first time not for that session first for the session we don't know what that gap is because UIDA it's national security maybe it is one year maybe it's two years you can don't use your biometrics but only experience will prove because users may find that it exceeds the standard so we don't know what the time out period is but I think for people who have been doing there is one more thing people can do which is signing the opt out Aadha plans dealing the Aadha plans zone it doesn't have any legal standard but it's a good option that's what it's got there's a petition being circulated so we think Aadha and Aadha where there should be an opt out option that is, I have given my finger prints and I would like to opt out as per the right to privacy opt out need to be supported yeah so it's not only privacy it's a voluntary thing voluntary thing that means the problem isn't other but design cannot be opt out because they can't tell fraud if you opt out exactly so I got an Aadha when I was in 12 standard I did not understand security and privacy then and I was like yeah nowadays when you're born so that was back in 2010 and until 2014 or 15 you did not need to use it anywhere it's just like a passport sitting forever I haven't ever used it but now with the time I started understanding this and my first question was I do not need this horrible thing how do I surrender it there's no option we know that revocability is key yeah revocability is like one of the basic things that Aadha opt in is based on consent so legal consent is about Aadha design with contempt for the individual it is absolute I mean you look at the design I mean the way it's oriented I think it is entirely meant to say that the individual is committing fraud and the state was protected for the individual every individual you know exactly when it will work if you say every individual has no right to opt out of this system which is which is going to uniquely identify that person only then will it work for what purpose actually I think that is not completely true because there is a problem with this the other design makes the assumption that it only works if 100% of the population is involved problem is 100% of what population population what is population next year also what about in India for anybody who is resident in India 182 days or more so let's say that is a very late change the systems are not designed for it you look at the process they have no way to verify your address yeah they ask for your address proof so I mean okay what I am saying is let's say miraculously today UAE achieves 100% every single human being has an Aadha no they are not they are actually very far away and miraculously manage it today there are babies going to be born tomorrow there are people who are going to lose their fingers tomorrow so I want to explore this because there is an archive writing so it is not done yet but it will be done soon so there are design issues with Aadha one of the assumptions is that Aadha has 100% involvement it is that any service provider has 100% compliance with Aadha so the expectation is let's say LPG the entire LPG database of this country wants to have 100% Aadha records that's the expectation because only then will they find anyone who is committing coming in price, who is duplicated because you are once with Aadha, once with Aadha they can't tell you that you are duplicated the Aadha system can't find you duplicated the LPG system must find you duplicated and if the LPG system is doing their own deduplication then there is no cost savings that Aadha is giving them so for any service provider that has to do deduplication without support from Aadha is not saving anything so that's the exact same problem they had before so the promise of Aadha only works with 100% compliance of each system of each system so therefore 100% bank accounts need to have Aadha's 100% LPG accounts need to have Aadha's 100% LPG accounts need to have Aadha's 100% SIP cards a bank account doesn't have a duplication for this room it doesn't matter so you can be under the promise and you can use any of these services so this sounds like very typical gambling game when you use the first bet you are like okay I'll recover it when I bet the next time it becomes worse so it's like okay there's now even more score you start like double down keep on doubling down until like there is nothing there is a fundamental difference let's get to this this is where it gets fun because this is the first reception they made that any system which has 100% Aadha and involvement will solve its duplication problem now this does not deal with surplus humans let's say you bring LPG subsidies if you assume that people need LPG subsidies and therefore they will get an Aadha and enroll in the LPG subsidies system you are not according to people who don't need LPG subsidies now people who don't need LPG subsidies are anybody who doesn't live in India hey hey hey hey he doesn't live in India yeah I know you have a story he'll tell us a story in next so think about it if you want to say that everybody in this country who has a phone number has Aadha and you have achieved your 100% compliance you can't do anything about the rest of the world you just want to ensure that people in India have Aadha and you want this position of saying that if it turns out that this phone number is suspect for some reason I can go look up the Aadha number find the person and also find any other phone number that's linked to them and so identify this person this then becomes a problem if somebody in the US gets an Aadha number and register the phone number in India that's operated in India but nobody knows the fact that this human is not based in India it is just that it's somebody else's operational use so now the second design problem is someone who has no use for Aadha having an Aadha number who's availed the service fraudulently and given it to some other person in India that's called the mole so they have no solution to this problem which I can very easily pick up since I don't have any use for the Aadha that's a problem so now this problem cannot be solved unless you make it impossible for someone to live without linking Aadha right and so this is now where the other push for Aadha comes from that every foreigner can get away with fraud because the enrollment agent doesn't check your residency status so all you need is one visa to India and give it to your friend, go back to where you came from and that's completely illegal you can also do the illegal method of saying that this bribe your document verifier to take some fake documents 500 bucks 15 bucks depends so it depends very well the problem now is that these people have set themselves up for the first level of saying this imagination that if you have 100% compliance your character problems will go away suddenly you realize that there are simple as humans outside India and there are more humans outside India than inside I mean even with our reproduction rate we are still 16% now we have the new problem of saying previously we said Aadha is for residents without defining residents only when the act was passed as a very large stage requirement they changed the definition of resident so apparently it's either resident or intent to be resident it's not in the act there is no such thing as intent there is no consent, there is no intent so in the act they are not defining because it defines resident as 180 days of the previous one year now they have a problem saying you must cancel Aadha of non-residents because now that's a leak that's a leak no and so now there is this crackdown on illegal bungalow relation migrants having Aadha and what not which previously was not a problem because in the previous design they are not assuming that they were supposed to have Aadha so suddenly you have this problem of saying no they can't have Aadha then they will commit fraud having Aadha and not using it is fraud now think about it having Aadha and not using it is fraud fraud is just correct so what it basically says is that I mean if anywhere you can suspend and not having Aadha is also problematic you are messing up the 100% so the only way is to have Aadha and using it everywhere definition of resident versus non-resident right so which is an impossible problem there is no way they will solve this problem they want an ideal state they want this ideal closed border state like China where nothing happens so think of this think of it very differently right this is another way of saying the same thing the only way in which Aadha can succeed is that we have perfect 100% registration of all existing people today right for people today and then we have close borders we have close borders perfectly close borders and we get perfect registration of every single baby that is going to be born from today to tomorrow we have successful deactivation of everyone who leaves the country and no one leaves the country now all these five combinations together is what we call as the Aadha Riterian state okay 100% enrollment of all people today 100% enrollment of all people tomorrow 100% enrollment of the babies no one goes in, no one goes out it's perfect or you get the whole world in Aadha which is also what they are trying to do this is also what they are trying to do so they are already in talks with foreign countries not China, Tajikistan Sri Lanka and some some African African countries to say that you are the consolidated fund of India it's not this is sales it's not export and import also export revenues and import revenues of people essentially becomes taxation and taxation comes into consolidate from India downstream revenue we are paying for it but we are suffering from it at the same time we are paying to a telephone company which is paying to the government so so what about security implications for example you link it to the same there is a data breach and then you can make it graph like movements and things like that data breach has never happened before that doesn't happen it happens about once a month but we don't have an answer it doesn't happen regularly but just once a month no the others are more important data breach is somebody is forcing their way into a system that is data breach so there is there is malafide intent it's like data breach is like somebody breaking into your house so somebody wanted to break it but what's more concerning is the you not having the keys to your own house so for example if you want to find out how many times has your other authenticated today by who you can find out how many times it was authenticated in the last few days or weeks 6 months or 50 days 50 times or 6 months and it can be found out only through a website so our farmers sitting in Jharkhand or whatever somebody who works as a villages around cities basically cannot check this even those who can check it can only check the last 50 authentications or the last 6 months even that information tells you bhaiya your other was authenticated 17 times it doesn't say it doesn't say who for what reason it either tells you it's demographic or biometric and there are supposedly nobody knows the meaning of it so there are 4-5 columns one which says whether it's succeed or not the other was authentication code which is basically just a hard hard number with some random digits you don't know the meaning of it used by authenticated authenticated or will tell you biographic yeah you give me that I will be able to decode it just send me that I think this is more important than a data this is more detailed no they don't tell you they tell you that an authentication happened but they don't tell you who did it why it happened and so on but there is a reason for that they don't know in theory so they designed so honestly this one is a lot more surreal than this 100% comparison problem so part of the UIDA design is this the guys who designed it kept thinking and saying was we don't want to know so much we don't want to know your movements we are going to design it such that we cannot know so what they did is they assigned this federated system of authentication where CIDR which is the common identities depository what register which is the main data center will not talk to the outside world except through a bunch of trusted entities who are called authentication service agencies and how many are there ASAs are about 30 odd ASAs are 30 odd so there are 30 of these ASAs the authentication service agencies which are entities like NIC which offers it to all government services from the NSDL NSDL which offers it to all soft market so they have 30 of them for different purposes who are only allowed to service people in that domain so NIC can only offer it to government services government departments they can't offer it to anyone else so the first ring is the ASA network and the basic idea is that the ASA network is where all the aggregations happen so the ASA network serving hospitals will know nothing about ASA network serving government services will know nothing about ASA service offering to insurance companies and so on so basically then they cannot do cross relation because by now they are prohibited from sharing data ASAs in turn subcontract to another layer of it AUAS the authentication user agencies the AUAS again subject to something called sub AUAS so now the AUA has a contract with UIDA and UIDA in the contract says you will go through the ASA so that we don't know what you are doing because ASA will not tell us who it is for which AUA it is for it is just that we license you but you send it to somebody else so that we don't know that it is coming from you for the good of the people this can make the wrong contract with sub AUAS and even UIDA doesn't need to know about this so the idea is that every state will have an IT department which will become an AUA so the IT department of the state will get an AUA license from talking to NIC which is the ASA and any government department in the state will talk to the IT department so there will be the sub AUAS each department is a sub AUA talking to the IT department which is the AUA talking to NIC in Delhi which is the ASA so your idea is the same tip and so thanks to this federation there will not be any aggregation of barrier authentication that happened so in the registry when they say that one demographic authentication happened somewhere all they can tell you that it happened somewhere they have no idea so they designed it like this saying that we do not want to know the problem is if they don't know even you don't know then they went and defeated the entire system this year so what happened is biometric fraud started that the fingerprint scan can be saved once and then replayed on the network because after all it just may be called on the network how does the network know whether you are taking a research fingerprint or sending a scanned image network can't tell so that scan started happening earlier this year Sabir Kuchar reported it saying that hey look here is this bank that is going to be a demo of how they basically save your fingerprint access bank and Imudra so they said the guy went and reported it saying that hey look this is happening this is not supposed to happen so you had put an FIR on this man you said you are spreading falsehoods about Aadha and he still got a police case on him by the way he is still very angry about it he is still very angry about it you look at his tweet stream every time some other news comes up he says Airtel was let go but they harassed me for reporting it that is a important point to make if there is other related fraud not only do you have no legal reason but you will be harassed for reporting it you will be so this happened Sabir Kuchar reported it UID went ballistic they filed an FIR against it and they said we will not allow biometric authentication anymore without registering your device so they introduced this thing called register devices where the first version of the spec they put out was to say to prevent you from capturing a copy of the fingerprint it will be encrypted in the hardware itself and only encrypted packet will come out of the hardware so that you cannot replay it because you got a timestamp embedded in it so they put this out first then they realized that this means you would replace every single biometric scanner in this country so then they chickened out and said no we will not do this we will do a slightly simpler version where the encryption happens in software on the computer wow so we say it will come out of the biometric scanner using existing hardware with low encryption but as soon as the computer reads it it will encrypt it and you can even say are you guys nuts I mean what is stopping me from sending it as a scanned image back from your biometric scanner and you know how easy it is to do it so in case you guys don't understand most of the biometric scanners are fundamentally usb devices and usb devices keep the emulated and usb devices can be emulated and software so if you are a usb device developer let's say you are developing a mouse and you want to plug the mouse into the keyboard you are not stupid to go and actually create a mouse and write a device driver the way in which hardware and software works is very different you first make the software and then you make the hardware and then you test all the driver with the software and then you actually go and do all that work so fundamentally all usb device developer development happens in software and for you to happen in software you have to emulate it which means that we create a dummy driver in software and say hey here is a usb mouse and send all the command packets saying oh it is moving on x,y,y y,z and all that stuff and here is the most interesting part let's say I give you a scanner a fixed scanner which is non-registered device I put it there and I capture it I can send the same image back from a usb device looks like another scanner what will it prevent you from that that's not the interesting part the person was providing them not here in somewhere else so one sec but at that point the person was providing their fingerprint it's their responsibility to know whether it's a how will they know that's the thing I completely understand they won't know but essentially that's who has the responsibility it's the citizen who is responsible fraud knows this is not the best part the registered device requirement is that every single owner of a registered device which is the shop in which it is located must register it with UIDI and the software that UIDI supplies will encode their registration ID in the packet in the packet so now what happens now is that when this scanner is used and from December I think it's mandatory so it's mandatory to use registered devices henceforth so now when you put your finger on a registered device which is now become mandatory it is immediately encrypted in software on the computer which has a device ID on it and obviously the device ID has free registered with where is this device supposed to be located who wants it what not it is sent through this entire federated network which is supposed to mask its origins to UIDI where it has a nice source ID saying it is sent to this guy and he's in this location and he's here and he's there what is the point of that entire 300% network of ASAs, AUAs, sub-AUAs if you also want a source that it came from somebody's made one so we don't want to know where your things are but then the board is happening but we also want to know where it is so here is the interesting thing that you guys need to understand in all systems right which is presence less or electronic there is always a problem of balancing privacy and fraud so think about this very differently you are using a bank I mean I can defraud you and probably take the money from your bank and move it to my bank at least there is an element of traceability if you call it but let's say you are using bitcoin totally decentralized and if I steal the bitcoin from you you can't figure out where it went or normal cash it is gone so cash is anonymous and hence fraud if it happens is impossible for you to trace unless until you have other ratios but on the contrary it gives you exceptional privacy but if every transaction is digital and everything is tracked then it gives you no privacy but it is at least traceable slightly more traceable but there are ways to defeat it so here is the interesting problem these guys tried to say first we will build privacy no no no no no because their fundamental assumption is biometrics cannot be faked remember that the fundamental assumption behind this entire scheme is that biometric cannot be faked because how? people are not smart enough to do it that was the assumption the reason why the assumption came was is because it was designed for welfare and they contemptuously thought that these bums who can't even make 100 bucks how are we going to defeat my technical solution now what happens is when this entire thing became live and it went to a different set of population you are dealing with people like me who break security systems on a day to day basis how are we going to defeat them and then you also improve the access when you make it mandatory for everything it is now one big honeypot it is super lucrative you never do super lucrative stuff like this because now all I need to do is so think about this very definitely in the past let's say you are one of those entrega fellows even if I know a rather number and let's say I took your feature phone how much are you going to lose? 2000 bucks? 3000 bucks? now let's say I am able to actually get the other number and a phone of one of those wonderful politician guys I own him right so fundamentally the risk profile has dramatically increased for precisely what? right I think it is also important to mention this whole idea tying back to what you said that technology is unbeatable I think a lot of people feel that your fingerprints are and this is also due to I think our culture things of fingerprints that you know your signature can be faked but your fingerprints are you know where somebody committed a crime and we got the fingerprints and we figured out that it is only this guy because only he has these fingerprints it cannot be somebody else's so I think there is this myth in people's lives about one is to one mapping of fingerprints but what I learnt recently from reading online is that when you authenticate using your fingerprints in a scanner it is a probability response the software is saying probably this is this person's fingerprint because it can never be 100% sure that it is your fingerprint so the scanner the technology can only tell you that this is probably this person's fingerprint I think that is a really important point for people to because collision detection is something like like there was MDPI I mean it is not 100% no but this thing is that was a deterministic that is what we are this is probabilistic other safety algorithms are all broken like you cannot do cryptography at all with probabilistic outcomes now also going back to whether you trust technology or a person let's say I recognize you I am capable of recognizing you if you have a big slash on your face because of some injury I can still recognize you because that is how human recognition works but if I have a fingerprint it will fail so the technology does not recognize human beings in the same way that human being recognize human beings any other reason why and what happens but like for example he sent in a beard and today he is completely shaving off half the company could not recognize so I am saying that your assumption that humans can they actually I am just saying that it works differently I am not saying that one is better than the other the correct way to understand this is you can evaluate the context and see if a girl recognizes a person what is it can I do something else to recognize this whereas a machine will just tell you I do not recognize you and the logic of putting it in PDS is more problematic because there is food available, locally person available in between there is a system which can give a probabilistic response and that have its own set of failure modules including connectivity and various other elements so a typical system thing right when you chain response with the error rates kind of error rates increase another thing that is in the same area is that it seems like UIDAI has put all their exit to baskets unless fingerprints are not in the ISN so for example not true because this is the chain that they tried to make me do and say the bottlenecks not required anymore no but basically right now if I need to go and authenticate my cell phones I need either my fingerprints or my ISN now OTPs are out has it started for all of us because they have discovered that fingerprints are not okay OTPs are insecure that is another story there is the other part also that PDS versus DVD is transition that has been happening for the last 10 years so PDS is an ancient system it has been around a while and PDS comes from the socialist state where you believe that the government must run its own parallel institutions to compete with the market which is where DSML comes from DSML exists to compete with 3 market telecom companies because the market has this faith that the 3 market cannot be trusted so PDS system originates in that era where you say everything from growing to delivering it to the most of citizens is the state's responsibility and over time it is proven to be a ridiculously bad idea the state is just not efficient enough at keeping control the way a communist imagination of the state was supposed to function so what has happened is PDS is a state subject the central government in the Bangal Singh era decided that this PDS thing is not working we need to do something else it is time to dismantle it and make go pre-market even in this zone while license law is a bit dismantled it is not being done over here so dbt was the idea that cable said why don't we give people bank accounts and send money directly to the telecoms and not create our own alternative to the market we just give them the subsidy instead let them figure out how to spend it so for example to translate that if somebody is entitled to 20 kgs of rice a month instead of managing this huge system which makes you just give them 20 kgs of rice instead we will give them the money for 20 kgs of rice let them just find it so the dbt system is the Bangal Singh government's idea the central government does not run welfare in this country state governments do so the central government says let's dismantle pd's and do dbt they can't do it, the state government has to do it so part of their mechanism has to be to say ok we will make the states suffer for it if you don't comply so a pd's failure in the state is good news for the central the more people suffering on the ground unable to get their ratios because their biometric authentication doesn't work central government is very happy going to say you fuckers move now go to dbt, why are you doing this pd's nonsense so part of what's happening here and this is something that is not very well understood is failure is success for your idea because the central government wants it to fail pd's being the first scheme to be into our country it's meant to be like an experiment if it fails it's great because then they will move to dbt atleast but here is the other the problem with that, the problem with that is the political economy of the country is deeply connected with pd's ok the political economy of the rural area is deeply connected with m-endrega right and where do you think all the recent troubles are all happening in the rural areas and what is the place where it got hit the demonization mostly in rural areas and that is the place where they are going to be impacted so what people actually thought during those times was not the same as now but you design a system you force it using NFSA for all these guys and you got what you got so dbt as an example on both endrega and pd's they are not doing great and also pd's is based entirely on this biometric authentication dbt is meant to be what you would say just link your bank account there is no biometric authentication between them anymore the problem is that the technology for dbt was built later much later and so you had this super elaborate deduplication mechanism that uidia employs which is the only thing that can feed proud of rq with one of these architects you talk about deduplication because as far as they are concerned that is the only thing that works in their system does it it does it it does it there are issues with that as well as it turns out deduplication works if the same fingers and the same eyes are used by two people no no if there is time we will come back to that you will laugh your heart out when i tell you that so they have very close problems we are not in the realm of bizarre because they have they have device driver problems you do an iris scan it is a picture if your eyes are burning fingers can capture it if you have device driver as a bug it sends a different picture back it damages the picture in some way and you will get a different other number so it turns out they have device driver bugs so people have been getting multiple other numbers because one version was captured with the buggy device driver so two different pictures of the eyes were captured even though it is the same eyes and two different other numbers have been generated this is on the public record this is on the public record you can't deny it they have admitted it now that this happened no no what is your fault there are many people having multiple other what is none of my fault anyway on the initial days of saturday multiple other is a problem only after the other act came into place before that there is no act leave this aside there is problem with the duplication duplication as well but assuming that stupid bug does not exist and it works well that is the one piece that they will injure it thoughtfully they spend a lot of time thinking about it from there to dbt where the last bank gets to clean your account and it is on good faith basis what kind of technology is that that looks like you cobbled it up in one meeting one weekend and said okay we will be nice to each other and we will operate it like this with one database table and and we are done it looks and feels like it was built on a weekend so if you think about this on a drunk weekend may add because it is an elaborate biometric stuff that took multiple years to design and build and you got this dbt stuff which was built so horribly that it is on database table with no audit or whatever and multiple parties having right access to it and no authentication required so this is another action that people who have aadha can take which is if you have aadha and if you have authenticated and linked to yourself the same card can you call them and check whether they have opened the payments bank account in your name without a consent are the dbt going to disclose it I actually don't know because I know that Airtel has been caught and deemed partially innocent and partially guilty the other fathom they also became your department I mean somebody somebody was always somebody was also saying that if you authenticate using Vodafone the Vodafone payment bank is called M-Pesa and that M-Pesa account was opened for a person and we got a message I didn't want to write the words words is all gone so no payment bank but my question is my question is if somebody has recently if somebody has aadha and has recently authenticated using their thing of biometrics to link their mobile phone to cut with their aadha can they call their mobile phone company they have duty font so they should the way is you have one using the NUUP it can be checked started that star star management we will start there are more easter eggs so you are not done yet so if you have an aadha and authenticate your mobile phone call your phone company right now that's the message because you don't know what's happening do you want to get into the sunny stress Hanuman no no not yet until it comes out we will think about it we will talk about Hanuman when it comes out next has geek meet up actually it's coming out tomorrow I think the people who are watching the live stream this might be a good moment to repeat the actions that people can take if they don't have aadha we discussed earlier judiciary it's still at the question which means the courts are still trying to decide the validity of the entire aadha scheme so wait if you haven't got aadha wait if you have got aadha and don't want to link it wait if you have got aadha you can do nothing but wait you are the country well if you leave the country you have to cancel aadha but there is no provision for cancelation yes but you can't cancel sorry, okay but going back so uh judiciary it's at the question so wait legislatively there's a website called www.speakphobie.in it's a website where we can go there and we can ask your member of parliament to and it is a very simple process you just select your state and your constituency and automatically your MPs email ID is populated automatically the petition is populated you can then change the wordings of the petition to suit yourself and you can send it to your MP. We are asking MPs to file what is called a rule 193 notice with the speaker requesting the speaker to initiate a short discussion short duration discussion on Aadha because we feel like in the context of all these problems Aadha should be discussed by a partner and the third thing that you can do is if you have Aadha then make sure that your biometrics are safe. You can check how many times your Aadha has been authenticated in the recent past and if you link your Aadha to your mobile phone, call your mobile phone company and check if they have opened a payments bank account also in your name without telling anyone. Since we discussed that Aadha is an opt-out mechanism so the question is how much can we trust the effect even if opt-out is illegal. How can we be sure that during AI if we are leaving, you cannot. You cannot. You cannot. You can't still trust. You can't. You can't. If we release a Facebook account then you know Facebook is to be given. An opt-out mechanism without legal accountability. There is no opt-out mechanism. Correctly there is no opt-out mechanism. Correctly there is no opt-out mechanism and currently there is no legal accountability because citizens cannot initiate legal action under the order act. action under the other act. So, if an opt-out mechanism, you know, if the dimmer is heard and opt-out mechanism is created and if there is legal accountability attached with that, then perhaps sub-task can be used. Even if the create opt-out mechanism, will the vendors on the ground will let us have SIM card without opt-out because that is a problem. Yeah, I mean, I think opt-out is a highly theoretical scenario right now. And I think so part of the opt-out and people who have designed main mailing systems will understand this that if somebody unsubscribes from your list, then you need to know that they cannot be re-subscribed because they are unsubscribed. Which means that you must save the fact that they are unsubscribed. So, desirely enough to unsubscribe from a list, the list must know that you are unsubscribed and they must keep you on record. And then refuse to re-subscribe you unless there is explicit confirmation that this was indeed an attempt at recon, you know, re-subscribing. Which means they have to store your email in forever. So, basically that's the thing. So, they have to store your email in. You know, thing is that if you think about it a little bit, you realize that no, you don't have to store the email in. You just have to store a hash on it. Ah, correct. Okay. Because if you can hash it, then you can compare the hash and see it. Yeah, it's correct. It is an unsubscribed idea. I don't want this to deal with this. The problem is hashing only works on deterministic systems. Not on biometrics. You can't do it on biometrics because biometrics are probabilistic. So, it comes down to this that you cannot opt for the father because the technology to opt out does not exist. Yeah, but then your fingerprints can be anybody's fingerprints, right? You can go in and roll again. So, they have got themselves into this corner where they can't give you opt out because the technology to opt out does not exist. It's not been invented yet. So, it's a fairly interesting corner to have. Kind of like putting the toothpaste back into the tube, right? Tube. Yeah, well, you have better success with that than this. Well, Easter eggs. So, so far we have realized that there is one table of other data in YDA, which has your demographic details and your biometric details. Now, it turns out there is a second table of other data, which is the NPCI, which has your other number and your bank number. And then the banks again have their own tables. As it turns out, so that's not the end of it. There are more such tables. Wow. The LPG table exists. Okay. And the LPG table does not even check if your other number is valid. Wow. So, you have fake other numbers or disabled other numbers. Valid LPG. Valid LPG ideas. And that's the Hanuman story. That is the Hanuman story, okay? So, in case you guys remember what it is. It's the 2014 Lord Hanuman got an other number. It was in the news. With his photograph. With his gada. With his gada. Yeah. So, you search for Hanuman other, you'll find the story. As it turns out, Hanuman has an active LPG connection. As of last month. As of last week. As of last hour. I checked it, okay? With his gada and his photograph and everything on the LPG table. They're probably routing it to someone and the other number is invalid. It's been cancelled, okay? But the LPG table does not check if it's valid. Doesn't care it is invalid. Somebody is getting LPG. Somebody is getting LPG. Hanuman's other number. That's the Hanuman story. Yeah? Excellent. Adar is really holy. Any other names that we are aware of? Of course, non-Indians. We have plenty of non-Indian tables and... Non-Indian entries. Not entries. Non-Indian entries. Didn't you sell it as a way to check for individual ingredients and all that? How? How? I agree with that. I mean, sell is different, but how? I mean, see, so the question that we have to ask citizens is very simple, right? If you take any emotional construct, I mean, this is basically my theory after working in nursery for a very long time. Almost everyone wants their country to be good. Almost everyone wants their country to be the greatest. And almost everyone wants their elected representatives to do something about it. Right? This guy calls it agency, right? Or whatever. Agency thing. They want it to be best and all. So when you basically, when someone comes basically and says, I can do all this for you, right? And you see some other guy saying, maybe I can't do it because there are a lot of other reasons why I can't do it. Nobody would. The guy who says I can do it all for you, right? But here is a question that you should ask. How are you going to achieve it? Okay, that is the story of other removing corruption. And we have done like historically hundreds and hundreds of studies all around. And I can tell you that on an average, we have spent 20 times more money to remove corruption than the actual value of corruption. And then the question you have to ask is, is that not corruption? Because somebody paid and got paid to create this. Correct. And that's the story. Do we have the next big table? Oh, yeah. That's a big one. All right. So here are the other interesting questions that I think you should guys ask. The other act explicitly says on a section that you are not supposed to coordinate, right? You are not supposed to cross-reference data by using other. Okay. You understood that, right? You are not supposed to cross-reference. And what is the problem? The problem is that if I have an Aadhaa number, I cannot say all these people who have criminal records belong to this Aadhaa number. No, not that. Suppose I buy the DLNA's table of the Pell Court company and the insurance company and they say, okay, let me multi-data basis. Yeah, that's not allowed. That's legally not allowed. Right. Except UID also does it. Except UID does it. And that is intentionally. Okay. So how many of you guys have heard about state resident data hubs? SRDHs. Yes. That's correct. Okay. So do you know what exactly SRDHs? It goes to every... So remember how the... Let's start with history. Basically, the thing is that states have always been doing the citizen programs, like ration cards for a state subject. So the state period department would give out ration cards and then build their own database of citizens who are supposed to be on the ration card system and so on. And before Aadhaa, there was no national population register. It was only a state register. I had. There was NPR, which was the project to fix this problem. Problem. But not... Yeah, sir. But NPR is the story. NPR is the story. So what happened is that every state has had its own citizen database. These are obviously leaky because people cross state borders all the time. So you might find a person who is in different states, publishing tables and there's nothing you can do about it because there is no way to find out if somebody is missing. Because those databases don't talk to each other. Those databases don't talk to each other and you only update the database when something goes wrong. Right. So if somebody is not taking a benefit from you, you don't know the fact that this person doesn't exist because it's not come up at all. Right. So the central government has been thinking of how to solve this way before Aadhaa. Right. And one of their ideas was to say that the central government has only one comprehensive exercise where they formulate every single citizen in this country and that's the census. Right. So the census, which is the registrar general of India, they gave them this new project saying build the national population register which is a live database and not any other database. Right. Because this is the only entity that is capable of solving this problem. Okay. And UIDA was created at the same time by different kinds of actors saying give numbers to everybody and do something to create this database by many database. So NPR and UIDA became two competing projects in the central government. NPR became the Home Ministry's project, UIDA became the Prime Minister's project. Right. And people who know government realize that the Home Minister and the Prime Minister are two competitors. Right. So the Home Minister is considered one of the most powerful ministries in the country, which is typically why you'll find that Prime Ministers want the Home Ministry to themselves. Right. Because it's otherwise, it's one parallel branch of government. In the Manmohan Singh regime, it was Chidambaram running Home Ministry, Manmohan Singh running Prime Ministry. And... Planning Commission. Most importantly, Planning Commission. Planning Commission was who? Planning Commission was Manmohan Singh. Manmohan Singh. Okay. So these two parties decided that one will do NPR, one will do UIDA, they became competitors. And they became bitter competitors for the point of high fights. And Chidambaram trying to kill UIDAs is well known. It's been on the record for a long time. As it happened, over the years, they became building up. When Modi comes to power, he looks at this and says, why are we doing two? Let's kill UIDAs. Okay. Until something happens. And he says, no, no. Let's do it the other way. Let's kill NPR and put UIDAs in charge. Yeah. There was in between... There was a group of ministers meeting. Yeah. In which they decided 50% said you let UIDAs and 50% said let NPR work. So UIDAs... Both work. Both work. Let both work. We will exchange data and build one population of India. Eventually. Eventually. So the thing is that whatever UIDAs said about AUA, ASA, privilege of separation, not wanting to know details about people and what not, NPR had no such principles. So they would go to every state and say, okay, state wants database of people. For ration cards, you need to know APL, BPL, and below poverty line. So you want that question. You are not willing to accept a population to issue that does not answer this question. Right. Or you want to know cash status, what not. So NPR was this compromise database. Where every state, you want these answers, go ahead. In your data collection, we will take all these answers. UIDAs said we don't want to have anything to do with any of this stuff. It is not that alone. It includes... There was an issue of many states are opposing UIDAs including Narendra Modi. Yeah. When he was... So it was mostly like a federal versus federal issue. So in the UIDA itself, they wanted extra data to be collected and handed over to states. No, but they said they don't want it. All the states should have it. Yeah, states wanted extra parameters like KVR plus. States wanted it and UIDA refused to collect it. Yeah. Then they compromised, which was R.Sherma's innovation. KVR plus. The current R.Sherma. Yeah. So how this becomes SRTH? So his solution to this problem of people, you know, quibbling, you know, and squabbling over who collects what data and what fields they want was to say, okay, we will design our enrollment software to take all of the data that you want. So the UIDA data is called no-year resident, KVR. Right. And they said, we only want KVR, which is name, date of birth, and age, and address, and biometrics. And that's it. We don't want anything else about this person. We don't want to know the cast or religion, what not. You, the state wants it. So this is called KVR plus. Yeah. You can add any extra fields in our enrollment software. And the state government is a registrar that will do the actual exercise of conducting your registrations. So you get all this extra data, which we will not get. So when you do enrollment for other... They collect everything. They collect everything. So each state will decide... Every state will decide which parameters they will collect. And so therefore in those states, you cannot get another without divulging this. Yes. Exactly. That includes your cast, LPGID, whatever. So in Karnataka for instance, the Karnataka government is a registrar which collects the enrollment data. So they separate it into two packets, KVR and KVR plus. KVR goes to UIDL. KVR plus has to go somewhere. States do not have an answer. So UIDI came up with a solution saying, we will build a state data hub, a state resident data hub, SRTH, where we will give you the know-how to build your own database, which is parallel to the other database, which has all your KVR plus data that we don't want to know about. So we don't want to know all this information that the people is good, but we will give you the technology so that you can know all this data for the people's sake. Because you are the elected representative of the people, you decide what is good for your people. And that I will have UID. So that's the thing. So it has an enrollment ID because it does not have an other number but the other number is not generated. Generated, right. So the deal now is the problem is that enrollment ID can be duplicated because you can always go ahead and enroll one more time. What's stopping you? Correct. Oh, I mean, so what you're saying is I have already have an Aadha. I can enroll. I can enroll. I can get a new enrollment ID but my Aadha will get refused. Yes, eventually. Eventually, but the deduplication is done. Because my biometrics, my agile. Exactly. So now, the problem is that EID by itself is useless because you can enroll multiple times. So what happens is that the deal with SRTH is that they will deduplicate you and send an UID back to the SRTH. You see, we deduplicate it and confirm that your enrollment ID is unique or it's duplicated. It is called EID UID mapping. Right. So they will send you the EID UID mapping that says your enrollment ID is our UID in our database. Which is currently a violation of the other act. Sorry, sorry. Say that again. What does UID AI takes the enrollment ID? So the enrollment ID sends the other act. Yes, you should not give the map. You should not give the map. You should not share the other numbers. Okay? But what they have done is to say because we have to deal with all the state governments for their state resident data hubs the SRTH will get the EID at the time of enrollment. Right. And then UID They don't have the deduplication technology. Other UID also gets the EID because the same EID is generated for both parties. Correct. Other will deduplicate, generate the UID or find the existing UID. Right. Send it back to the state government saying your EID is our UID. Therefore, two EIDs have now been linked to one UID. Yeah. So that is for deduplication. Now, the problem is that is not parallel Aadhaar database. Correct. Everything on free UID is also in SRTH. The only thing is extra parameters. Some extra. So if you look at what they have actually done is they have created a minimal database in the center and they have created a maximal database on multiple state hubs. You understood that? 14, 14 or 15 the numbers is. Subscribing to the state resident. Yes, exactly. Which is not covered by the Aadhaar Act. So you have no protection whatsoever under the state resident Aadhaar Act. Okay. Now, here is the most interesting question. Okay. Now, I'll ask you another interesting question for those who know a bit of computer science. Right. What is UID? It's claimed that every time that you enroll, correct. It is encrypted using 2048 bit encryption, which can't be broken. They keep saying, right? It is all encrypted encrypted. That's the point. When you enroll, you're giving KYR and KYR plus in your biometrics. Yeah. Okay. UID only gets KYR, basic data and biometrics. But if you enroll everything and you're not sharing anything in the state, how is the state getting KYR plus? Think through it. The information only if you're getting the encrypted information. Yeah. But it's, what will you do with encrypted? And so what, what UID actually does is actually has two encryption keys. It has two encryption keys. Okay. Every enrollment produces one encryption key is with UIDI, KYR and biometrics. The other encryption key is actually provided with the state during the time of releasing the enrollment software. So the state basically gets KYR and KYR plus. And biometrics. And biometrics in some cases, we'll come back to that. Okay. So in, in case you understand the RGI and NPR project, both of them are running in parallel. Okay. The RGI product was RGI and NPR the same. Oh, sorry. Today we're running in parallel. Both of them are supposed to give you multi-purpose identification cards. But the NPR project basically said that we will give you a biometric smart card. Yeah. Okay. The biometric smart card required a fingerprint to be stored as part of the smart card. Which means if you interpret the software, where will the states get the biometric of the thing? So in RGI states, we know for sure, or even in other states we know for sure using this dual encryption keys, biometrics, where shared during enrollment. We have official documentation proofs for it. We're not talking anything about some website and all that. Official documentation from UIDI. Which later got deleted. Yeah. These are all part of the deleted RKI or document. Okay. And so we have tracked loads of deleted documents. And you can just say wow. Right? No. They can simply go and change the act, but within comment to comment, they may be able to disclose. So the other act clause number section 471 says that a code cannot take cognizance of any offense under this act. Correct. Okay. Unless UIDI grants it. There is section 52 which says that anything that the officials do, if done in good faith is exempt from this act. Right? In good faith. Yeah. So the words good faith is in the actual section. So that protects them. That protects them from doing all of these stuff. All of this stuff. Because nobody can even if they do themselves, they just... No, no. So here is the interesting part of the other act. Right? I am the guy who wrote the act. I am the guy who can prosecute violations on the act. And I am the guy who is also violating the act. Yeah. Okay. And it gets better. And this was passed by our money bell which has no core, which the attendance during the time in Parliament was 53 out of 540. Yeah. Okay. And the purpose of the other act is fundamentally to ensure that all the technological Jogadu thing that they have done is fundamentally predicted from legal scrutiny. I mean, there is really nothing more to it. Yeah. Because they invested so much time, money and propaganda into it that they didn't want this to fail. Yeah. Precisely. And here is the worst part. Okay. If you understand computer science systems, do you want to live with this? So, what would it take to abandon some of what kind of catastrophe like being optimistic and like the first step to abandoning the system is to stop awesome people who are not in the system. I'm asking about what kind of catastrophic failure would it take? Because the pattern it has to end now. What is going to be head? Whether you like it or not? Which one is it? Let's think of scenario. Yeah. So, I'll tell you why that's not possible. Because in order to not hit the iceberg, we need to first stop accelerating. Right now, all the energies of our entire country is Accelerate. Forward. Forward. You are talking about backward. No, no. What he's saying is like he is asking about how do I know? I mean, so think about that very different thing. I think one scenario that I am worried about is a very deep surveillance of your everyday behavior. But then not your behavior is correct or not. It is already normalized. I mean, look at UK. Nobody sits there worrying about surveillance cameras anymore. It's just normalized by the society there. No, no. But I'm saying that surveillance is still outside without surveillance. You think that it's got to become a scandal until then nothing's going to stop it. Because if it's slow-creating, it will be normalized. In fact, we are lucky that the government is rushing Aadha because it has made it a public discussion. Whereas the slow- boiling fraud system that we have been using for so many years simply escapes scrutiny because you just normalize your life under Aadha. Acceleration is good in this case. Acceleration is good because it's horrifying people. Acceleration is a supreme court that does not seem to be aware of how badly broken the technology is because the lawyers who are arguing in supreme court are not arguing from a technological perspective. So when justice decreases what it's all incomplete? There are 13 answers that need to be given. Explain why that is a meaningless statement. Point is that the lawyers are not going in with those briefings and it's not for lack of time. We've been trying. The law is institutionalized a lack of understanding of technology and doesn't know how to course correct. So in one sense the supreme court is looking hopeless because of this that they may finally find an argument using the right to privacy judgment and not think about technology at all but the technology argument is so much easier this is just fundamentally broken technology. Also came up during the right to privacy hearing you can notice what happened with one of the lawyers giving a biometrics violates my bodily integrity. We're not interested about that. It's kind of a dumb argument because you leave your biometrics and everything you touch. Like you leave your biometrics here here here here here. How does it violate my privacy? Probably one thing that could really scare people into saying hey this is not a good I guess following surveillance or something like that other database is actually the theory that this is all funded by Bill Gates and CIA no no you don't have to go you don't have to stupid or conspiracy stuff okay you don't have to stupid or conspiracy stuff I mean that's I believe maybe I tell you this right you don't need a foreign government to actually break into the system I mean you and me can do it because they actively publish it. But that is that is only what is going to cost some more what you call hard work I will tell you precisely okay not the foreign government and not this CIA stuff and not all this stuff right and you are talking about iceberg right the iceberg that is going to happen is AC rules that is fundamentally not violating privacy because they believe in the half-baked technology stuff the government says government goes more stream more stream links every single damn thing in your life which is already not linked maybe right to other and then and then you get into some kind of tricky situation with China maybe five years down the line for whatever reason there is no problem or whatever you call it they send two spies and one hacker which basically does a denial of service on the central other system irrespective of all that critical infrastructure stuff they talk about I know how bad it is right basically the country stops at a standstill that is probably what we are trying to failure single point of failure right but that point of time when it happens when it happens you would have bigger problems than the other database and that is the people die yeah they are already dying actually okay I mean in the context of disaster there is another important question that we should consider which is what does the government need to do to make our hard work is there any way in which a lot of back a lot of back peddling on the fundamental design decisions yes it has to be redesigned as a decentralized system so basically what you mean is already partially decentralized with the state which is it is not partially decentralized it is interconnected the pause the pause of all is where people centers rather than being decentralized so you have to remove the central database yeah then it becomes decentralized no these are all interlink these are all interlink so the fundamental thing that most people do not understand about the SRDH is that later it is basically two-way synchronize it is two-way synchronize in case you go to understand it is two-way synchronize not one-way two-way and if you already want to understand why you have to ask the basic question right let's say you actually link all your others with your mobile numbers how does the UIDI know because you are putting all the stuff in your mobile number telco database how does UIDI know link it precisely what these guys have done is this the state data hub is basically correlated correlated and it is built with one big database and across all the databases you can build information highway and that is SRBOM and that is basically made available to the system so it is basically not one-way syncing on EID UID it is basically two-way syncing and that is a part of people who look at it and say this is going to blow this is going to blow this is going to blow and the system is going to survive which these guys are going far just one clarification there why is it this extra data going to the center they said that they do not want anything they don't want anything there is another project called SRBOM why was it launched it was launched precise it was launched outside UIDI it was launched by DBT Bharat Mission outside UIDI but it is I think So coming back to the Airtel, who designed the Karnataka Refident Data Hub? PWC. PWC is Pricewater. Pricewater. Pricewater. Who audits other database leaks? Pricewater. Who designed the other database leaks? Pricewater. Who designed the brand service? Pricewater. Pricewater. Who audits Airtel data breach? Pricewater. Pricewater. Does Pricewater runs the country? Well, that's the question. Well, I don't want to go into the political context. And also, I think in the parliament itself, they essentially, yeah, yeah, about them. Ethical, unethical behavior of Pricewater. There is a parliament answer. There is a whole lot of history that one has never realized. Who controls that? Who controls that? Not the wrong man. So, the Servant Project is fundamentally built outside of URII, but what enabled the Servant Project is, is SRDH. SRDH. Okay, so think about it, right? If you have 20 different databases all having individual, every single detail about every single resident in every single studio that I have, it's too easy to link a national database with everyone. Yeah, just you need to have these two. These two, 20 together. And then that is made available to the central government or whatever they please. And that's the Servant Project. It is actually named apt. Okay. It's just, it's called Servant. Okay. Not Servant. S-E-R-V-A-M is basically something that came afterwards. The original name of the project is Sarvam. S-A-R-V-A-M. Everything. Everything. Beautiful. Fundamental question is what are they trying to do with our, that who of course has cheese over the years, so many times. So, this point is a question. This was the question somebody asked in the starting of the deal. I guess it was you. No, I don't know. Okay. But driving, you have driving license for finding a password and we have a plan. What purpose does our house serve? And that question has never been answered right from the beginning. That's what keeps changing. Yeah. So, one of the things to remember is that organisms like to live. Okay. And it's also true of institutions. Institutions and entities. Entities like to live. So, UIDA at this point is fighting for Sarvam. And they don't care why they really need to exist. They just want to exist. And while we discussed about data protection, there is active discussions from, hold this problem, purpose limitations. Yeah. Without even understanding. So, that has been something. Right. So, when you say UIDA wants to exist, you mean to say they have got this done, they need not exist. No, you are saying that they don't solve any of the problems that they have. So, they have created to solve some problems. They are not solving those problems. So, the question now is why does this department exist? And why are they forcing themselves and everybody in this country? And the only way to understand it is that they exist, they are existing for their own sake. For example. Existence for the sake of existence. For example, why they issued a Gassett notification recently? Yeah. On what basis are they telling a bank whether to accept another employment or not? So, why RB is over? Yeah, because NPCL is an association of banks that is supposedly overseen by RBL. And it's an association that's owned by the banks. So, when a bank has a deal with NPCL to update their other mapper, it's basically between them and their subsidiary. And whatever rules are, are rules set by NPCL as an independent organization. It's a non-profit, but it's a privately owned non-profit. Because it's owned by the banks. You know, it's not owned by the government. Now, on what basis is UIDA telling NPCL to honor or not honor a bridge to its mapper? Correct. And on what basis UIDA telling a bank to not send a notice to NPCL asking for an update? What is the legal backing behind it? Yeah, what's the legal backing? Where is the statute behind it? Nothing. I mean, they quoted some section of the other act saying that as per the powers conferred to us under the other act... That's like saying as per the powers conferred by me... To me. Yeah, to me. By me. Through me. Accountable only to myself. Only myself. I did X. How does it matter? But they've promoted some sections of the act that give them supposedly the power to do this. I have to go and check what those sections say. Yeah, but it's interesting question. It's asking the UIDA stuff, right? Like, I am the state. Yeah, so this is the thing, right? The UIDA is behaving like a state. Does UIDA... I... No. Yes, they do. Yes, they do. But no. But no. Because they refuse most of the answers by saying a national security. I mean, that's been a trend pattern that we have seen. So this is part of what speak-ton is trying to do. It's asking the same question through parliament. Because there they can't refuse. So RTI request can be filed? Yeah. Yeah, but you won't get answers. You're just wasting 10 bucks. Some other department refuses. You can go to the court saying they are... Now the parliament... I'm sure it also looks like RTI. Yeah, because... Which is okay. Which is okay. RTI is okay. Which is okay. Which is expected. That's the trick that we have done on the question. Yeah, but it's not the final burden. You can still start and put a case against them. And during the proceedings, it will be decided. So I suspect these things are already in progress. They've just been somewhere in the court system. Waiting for a daily court. What? Challenges to... Some kind of challenge. New idea. Under some other... Yeah. Maybe. I'm not even thinking about what's happening in court with the name on it. The number of cases and... Any questions? Any questions? One more, guys. You want to ask another? I think one step should be repeated again. Yeah, if you don't have other, don't get it. If you have other, don't link it. If you have linked other, just be extra careful. If you have other, do the biometric lock. Refuse to do biometric authentication anyway because it's not really required. It's not mandatory according to the other act itself. No, it's up to the service provider. Service providers can choose to demand biometrics in the key. You won't have a choice in it. It's up to the service provider. But even for mobile phone linking and stuff, now you can... Yeah, tryouts allow them to do through OTP. Which is kind of bizarre because you're authenticating a phone number through the phone number. So if you have the phone number and claim it is yours... Hey, that's like your idea is suing them, sir. It's the same thing. Yeah, and more importantly, if you have other, just ensure you guys just don't lose your phone number. And if you do not have a phone number registered in the other, add it. Because if you don't, somebody has to put their number on it. We'll put their number on it. Because there is no authentication, the first time a phone number is added. Say that again. If you have another number, there is no phone number attached to it. You can add a phone number to it without authentication. Because the authentication is sent to the phone number that you added. No, it's like a glasses or stuff like that. Okay, that was something I never discovered. Yeah, yeah, yeah, yeah, let's not get him to talk about it. And report it now. So some people have had sins which they lost or went to another city and then got a new sin. And that was linked to the other. What can those people do now? If it's got a other number linked to it, enjoy screwing somebody else. No, I mean, how do you link it? I don't know. Link to the other and you don't have access to that number anymore. So the best, the practical solution is, You can technically go to an enrollment center and ask for a data update. Give some 100 rupees and they will do whatever you want. No, no, very good. 100 rupees, yeah. And so the problem is people who have done this have been given you other numbers. This is how the duplicate other thing happens. That you went to a center to update some details and they end up discovering that you didn't match what they thought you were supposed to match and they gave you a new other number. So this, this iris cat bug was discovered like this. Somebody went to update his details and wanted to give a number instead. Somebody who has other must have a mobile number. Yes. So here's the question. Who designed, if there's an agency that does that? Yeah. Who? The volunteers. I had a mobile. The volunteers? Yes. National secret. It's been asked under RTI and they refused answers. So do we know what the structure of this organization is like? Yeah. So some of it is known because it's documented. So some companies have the right teams, the U18s. Yeah. So who architected it? And who is the architect? The south architect. Pramod Verma is credited as the architect of the organization. Yeah. I had a lot of it. What are the qualifications? We know this through his own link in profile. Yeah. Otherwise it doesn't mention anywhere that. Because multiple people get familiar with other architects. So then it's not publicly available. So for instance one of the other guys who claims to be an architect is Vivek Raghavan who currently works at this year here. But so before UIDA understood operational security, they used to very happily publish all the information on it. They have a blogspot website. There are two of them, which is the entire org chart of UIDA. One is called UIDA health.blogspot.in. The other one is UIDA info or something like that.blogspot.in. You go there, two websites built by probably two different people because they've got duplicate data but slightly different. But if you think about it. That's the thing. So Vivek Raghavan who's currently, who claims to be an architect of other on his link in profile, who currently works in CIDR, is listed on this blogspot website as a volunteer. Right? And his actual job totally is volunteer. Yeah. So here he can just say either he was a volunteer or he was an architect. One of them must be an architect. One of them must be an architect. One of them must be an architect. They claim to have done their homework but it's all national security. But they must call it national security. Because I think it has a problem. That's so what's a national security. That's not national security. It goes through human eyes like people working for whichever government agency handles security. They have humans working but they trust those humans not to diverge information outside. No sir. I don't need to know who the person is. But can I at least know that this person has, has a background in cryptography etc. I don't need to know who the person is. So to the best of my knowledge, nobody in URII has said background cryptography. I've not seen any of the gentlemen. So all that's written about is cryptography credential. Yeah that's true. As per the documents, the people who are all covered in public are clear. No sir, no sir, no sir. Do not have any background. I think for the people on the live stream 7 corners it will be really difficult. Yeah. Sorry, I just wanted to mention, these are the kinds of things that we can file our tier requests about. Yes. So you're going to need to know the identity of the person. Yeah. So here is the thing. Denied. At one point you mentioned that the courts do not do anything about technology. Yeah. So another thing about a simple thing like water flow rate. Right. And here we are talking about water flow rate, which you should technically know if you are an understanding scientist. Right. I do not expect judges to know about cryptography. Yeah. Cryptography. Even for a computer scientist, I think it is. Hard problem. Very. First of all, at least in the US and the Bay Area, they have lawyers who understand these things. Are there lawyers in India? No. There are some actually, but the point is that they are all junior lawyers. Okay. Second question. Yeah. In your camp, is there a person with, let's say a proper theoretical computer scientist who can do this. In the Kauri case, there were actually bona fide civil engineers who should be going on with the same mistake. So I'm not an expert engineer. I couldn't do marketing. I had to point it out to them. No. You're talking about things like cryptography, database design. These are complex. So all you have to do, at least profiling the RTI and the legal side, is there somebody who can convey this to the legal team? So one of the problems is the legal team is all based in Delhi and all the factors are appeared in the panel. And we have this problem. We have a realisation problem within the actually. Within the defense of, within the, you know, the anti-agar collective is that we're just two different camps. And while we know each other and keep telling each other that this is what we should do, it is not part of the strategy because the senior lawyers don't talk to us. The junior lawyers have the deal in the seniors. It is a very well-known problem now that the questioning of agar in court is not technically solved. So now for example, you get some cryptographic things about cryptography. Yeah. Yeah. I'm not sure. This is, this is exactly the reason they've been able to sell. Yes. Yes. Nobody understands what is happening in the communication problem. Yeah. Yeah. No, this is, this is well acknowledged. If you have ideas. We have a solution. No, I do not. That's right. I do not try. It's, it's a well acknowledged. For example, I'll give you another case where judges are totally foolish. We remember IK and two of us go to Tadak Chitra and of course the DCCI, what, and this is ridiculous, right? They were IPL. We, it was big and I think one of the judges is somebody said, I wish you all the best. I wish India wins the IPL. That's what I actually said. And nobody really challenged that. I think you do not know what the IPL is and you've passed it as well. I think there is a communication here somewhere here that you need to, it is not a problem of, I'm sure all of you know your technical stuff, but it is a problem of, there is an organization in design problem on your side as well, which you probably need to know. So what do you say? Before you, before you go after that. Yeah. I don't think we are an organization necessarily. We kind of like a loose collection of. Loose collection of stupid forms. It can look. It can look. It can look perfectly well. Look at the, look at the lineup, look at the modular foundation. They work perfectly well. No, but another challenge in this specifically, is that the judiciary has been extremely difficult to get through to. Even the matters that are before them have, have been heard very, very after long gaps. That is okay. That problem, any year will get resolved when the January 17 thing comes. The question is what do you do for the final one? See, here is the, here is the problem, right? If you look at it, most of the people are not aware of the technology. It is always easy to defend the technology when the users have not been rolled out. So that is the reason why it is a good thing it is rolled out. And we know all the problems. And we have now collected truckloads of documents. So the only question that you are to again ask is, are you going to go and explain all this to a lawyer? But it's simply. For a lawyer, versus you go and argue purely on the technology, versus you go argue purely on the law. And me, I can certainly believe that this is going to be a lost cost. If you're going to argue purely on the law. And that I'm very sure that I'm 100% sure. Yeah, yeah. But here is the problem, right? The catastrophic is going to come after the court is going to say yes. We should talk more about single point of failure, I guess. Yeah. See, so here is the problem, right? The catastrophic is going to happen. There is no predicting it. And the way in which I typically tell in terms of security to my team as, look, there is a hundred floor building and you guys have just jumped off from the hundred floor, right? Even at the 99th floor, these fellows are going to come and argue to me. I'm still alive. What the fuck are you talking about? Okay. This is what I call the immortality problem, which is as long as you are alive, you're going to argue you're immortal. And I can't disprove you. But after you're dead, what's the point of arguing with you? Right? So basically the main, which I look at the problem in software companies, right? Because it's not a judiciary thing. And there are people whose businesses are on the line and there is money involved if you get it wrong. Incentives are aligned. Incentives are aligned in terms of running a business. Here, incentives are not aligned, right? Also, people who have been specifically educated along those lines. Along those lines. And here what you're basically saying is, Sikri comes and says, well, it is encrypted. And there has never been a rebuttal in the court. What kind of encryption? And the lawyer himself doesn't know. Okay. And neither the lawyer nor the judge nor whatever. There is nobody who knows. Yeah, exactly the point. And there have been several such... So forget about just the lawyer part, right? I mean, in terms of technology, we'll keep that aside. But just look at the outrageous number lies that we have actually told about 59,000 crore rupees saved. Okay. Saving numbers. Saving numbers. Right. We have saved so many duplicates. Right? Right. But here is the point with that numbers, right? And lies are pretty easy. And all you really read was mathematics. Okay. Not the complicated mathematics, but just plus and minus. On 2015, you go and say that I found 0.4% duplicates in LPG. On 2014, on the Supreme Court, the government basically gave an effort about saying that they found 0.4% duplicates in the LPG scheme. Okay. On 2015, exactly six months later, they went and told the government that we found 15% duplicates in the LPG database. Okay. The net addition between the 2014 LPG database and 2015 LPG database is one lakh. You understood the difference? On 2014, the government went to the Supreme Court and made an effort of it, which said we found 0.4% duplicates in the database of LPG's guys. Okay. On 2015, to the same court, six months later, they went and told, we found 3.34 crore duplicates in the LPG database. The size addition between 2014 and 2015 is one lakh. So for a net addition of one lakh in the LPG database, how the fuck did you find 3.34 crore duplicates? New. New. Of course. New endowment scheme. Right. And again, that's seeded endowment. So it's not random people in the database. Random people in the database. So if you look at every single mathematical, I mean, then it gets even interesting in the media, right? Financial experts basically said, Rajasthan found 2.33 crore duplicate entries in the ration database. Okay. The net size of the Rajasthan PDS database is 96 lakhs. But don't trust me. Because the net size. The duplicate size is in the total number of duplicates. So before the duplicates were found, it was 96 lakhs. No, the total size of the database was 96 lakhs. Total size of the database was 96 lakhs. Okay. And the duplicates found in it were 2.33 crores. Okay. No, no. Here's one thing. The communication between what is said and what is reported is very huge. It is effortless. It is effortless. No, no. There is the same effort with the file we made in the court. Right. I mean, you look at it, it's a transparent lie. And I can tell you the latest RTA that I got from Meha. Okay. So basically they said in LPG, 2015 and 16, financial 2015 and 16, the total number of duplicates found was 3.36 crores. Okay. Which is anyway a lie, but let's not get into that. Right. In a beneficiary size of 18 crores, right? Database size was 18 crores on 2015-16. They said 3.36 crores. Right? Right. On 2016 and 17, they said we found another additional 3.31 crore duplicates when the total number of beneficiary size added was 1 crore. Okay. So any which way you look at it, I call this f of x is equal to random of x. Okay. Right. You basically just spew out numbers from here as and hope the other guy doesn't notice it. But where is the engagement on that? I mean, none. Nobody is questioning them about these numbers. Right. The only guys who are questioning them is me on Twitter and a bunch of other guys in Ritika and so on. But where in the court? Yeah. I think it is on the, that Kalyani men on family. Shanti Sena. Shanti Sena. On Shanti Sena. And who wrote that on Shanti Sena? No, you. Yes. Right. Where was it questioned? Right. And again. First time it was questioned and they chose not to defend it. Chose not to defend it. And it gets even better. And then the World Bank lie where they basically said that World Bank, so basically when we put out the counter for Shanti Sena and they chose not to defend it, they found the counter of whatever, which is very, very rare. And they said, well, World Bank essentially said, other can save $10 billion. Are you saying that World Bank is also a compromised organization or something that they put on the court of it? Okay. I mean, I have it all. Okay. Right. And then I went and look at the World Bank, World Bank report. It said the total number of, the value of subsidy, subsidy transfers every year in India is $10 billion. Remember the wording. The value of subsidy transfers every year in India is equal to $10 billion. These bloody buggers essentially went and changed that into $10 billion of savings. Okay. For other. Okay. And it was. Very, very good subsidy. Yeah. Yeah. Right. It gets even more interesting because I did it like a proper journalist. I basically send the questionnaire to World Bank. It's like, what the fuck are you talking about your bumps? All right. And they replied back by saying that, Oh, these are the two studies and we extrapolated interpolated and we came up with this number. I said, show me the Excel sheet. We have shared everything what we could share. It's just last year. Right. I mean, Right. Yeah. Okay. Right. I'm like done and dusted, done and dusted. Right. And after exactly two months, two weeks later. Right. It was a big article on wire. This was initially, initially it was old news. No. It came on wire. Yeah. It came on wire. September 15th it came. Right. It had 35,000 views and everyone read it. Even Observer Research Foundation. There was even prior to that. Yeah. There was a call with World Bank. It was documented and the entire transcript was published in the article. Every single media organization read it knew it. Exactly three weeks later, Nandan attends a conference on IGF. Two weeks after that. Two weeks after that. Two weeks after that. There was, there was a conference event about digital IGF product. And then he said, Others save nine billion dollars. And they're looking at it and saying, Hang on. Does, does this have any correlation? I mean, nine billion, 10 billion, 100 billion, 2 billion, 3 billion. So I call it as the billionaire problem in the sense that because Nandan is a billionaire and he says everything, it has to be billion. And because people believe that Nandan is a billionaire and everything he says has to have a billion number, show me one statistic that the other guys put which doesn't have a billion in it. Open challenge. By the way, the fact that they were the fastest, fastest, one billion, fastest, whatever product or one user. Fair enough. That's, that's how the typical stuff works. This government has been buying with numbers consistently. You ask, you file any idea about demonetization, asking about different periods. They will be live on record. You ask them about the number of enrollments, who ask them about savings. This is all covered in the Aadha. Even not related to Aadha, they will learn about it. But being money-rained, the actual spending of increment in demonetization is no different here. So here is the other thing that we are doing. We are basically trying to come up with some kind of a cost-benefit analysis. And I can tell you, upfront on my head, we have several billion dollars negative. Yeah, they have already accepted it for the demonetization. Not this. This Aadha. Aadha. This several billion dollars negative. The cost of rolling Aadha. Yeah, it has to be. Minus the savings from Aadha. It is several billion dollars negative. Okay. It has to be. With all the pushback, sanctuary limit for all the money. That doesn't account for the cost of privacy lost and things like that. I know. Aadha is one of the loggers who live most coast-less cities. Okay. By a poor country, which could have used the money to do a hundred other things. Even with corruption, I guess the runway could have been better. Yeah, yeah. So here is the point. So far in my thing, they have probably saved 6,000 fine of crores was the setup cost for LPG. Okay. And set up cost. Set up cost. And then other enrollment is 20,000 crores. So let's not bring that up. Let's think about LPG itself. 6,000 fine of crores is setup cost of LPG. The average money they are saving because of all this is about 100 crores every year by spending close to about 1,000 crores a year. Okay. So on a run rate basis, they are already negative. Okay. So in order to recoup that 6,000 fine of crores is setup, they are never going to set up. It's like, it's a non-converging function. You need 65 years plus they're burning every year. Plus they're burning every year. Okay. So the way in which I look at other is fundamentally a startup which is funded by a government which is always making losing a lot of money. That's what I said. Just imagine this year. When do you stop when you can stop funding your gambling? Correct. Essentially this is the government funded. This is the government funded gambling addiction. And you have to be... Just look at this year alone. This year alone, this year start, they had 50,000 plus other enrollment centers. Yeah. Then they blacklisted 49,000. Yeah. Then they had 35,000 enrollment centers remaining. Then the registered device strategy came. Then they closed down... They moved all their enrollment centers into government premises. Then the device changed for the registered device and all the new kind of things. Then they closed down every enrollment center and decided to open enrollment centers in the banks. And as of now, only 2,500 enrollment centers exist. All over India. You can imagine. Just imagine this. That's how it is. Awesome. Because some people like Anand are trying to get government in numbers. Like trying to get each state how much percent of enrollment is there and there are other people also working with them. What they've done is they've deliberately stopped enrolling people in our town. And this is legit. One of my friends who is doing it in Bangalore, he had to go and stand in the queue on Monday for three weeks because they give you 200 tokens on Monday. Even if you have the 200, one person, you won't get it. You won't get it. And in the rest of the five days or four days of the week, they will process only those 200 tokens. This is because the states have reached 100 percent or more than 100 percent. No, that is not the reason for this. That is not the reason for this story. That is a different story. How many guys have you heard about the fact about the ghost kit? The ghost kit? Ghost kit. Ghost kit. Yeah. Adar ghost kit. Adar ghost kit. How many guys have you heard about the Adar ghost kit story? None? Okay, here is the most interesting problem. Can a bio metric be faked? Yes. Yes. Can it take your left hand and my right hand and Kiran's left eye and my right eye and give this guy the address? Yes. You got the ghost kit? People have used it. People have used it and people have used it and for close to one year you already couldn't recognize it. So it turns out that it was one of their own staffers doing this. Yeah. And this is the Kanpur case. This is the UP Adar fact case. Yeah. So it turns out that there was this private business of selling ghost kits. Ghost kits. Where they were selling fingerprint masks of legitimate environment agents so you could download dollars of yourself enroll anybody you want with all these mismatch of biometrics use the fake fingerprint authenticate and they had 8 ampere subsidies. No, which is getting other number. You get another number. Remember every ghost number is gold. Why? Because you can use it. You can use it to link to everything so your bank account won't shut down but in place to track you they will never be able to find you. But it's a fake number. Yeah. And so this was something done by an insider in UDI. And this was selling like hot kinks all over the country. All over the country. Okay. Believe me. I'll give this. So this is not this is not movie guys. Is this guy a volunteer? This is even better. Okay. So we looked at how the endowment software works. We have a domain called biometric shop downloaded. We have as it turns out the radius website. Okay. Do you want endowment software on your laptop? I can do it today. It's even downloadable and installable today. And you can buy the fingerprint machine from Amazon as well. It's a Java app. It's a Java app, right? We can decompile it and change it and decompile it. Okay. It's a Java app. It's very easy to decompile. It is not even up first catered. It is not up first catered. It is not signed. When you do an enrollment I think that is why everybody wants to be a volunteer. Everybody wants to be against something amateur like this. When you do an enrollment with the software the enrolling agent is supposed to put their finger and scan their irises every time they do an enrollment. So you do it for the customer who's walked in and you do it yourself to prove it. Now it turns out the server doesn't check your authentication. Only the software checks it. So all you have to do and this is what the ghost kit was doing they disabled the iris scan part of the enrollment system. True equal to false. True equal to false. So they re-compiled the Java profile removing the iris scan part of the enrollment software. No, no it is not that. Okay. It gets better. So basically how it works is let's say you download the software and you want to enroll yourself as some other guy. I'm the operator and I had to authenticate you as so using my iris and fingerprint. Okay. These guys knew how to make fingerprint masks. So they they made fingerprint prints of thumb prints of all the operators close to 84 fingerprint unique fingerprints of all the operators are found in the place where they arrested these guys. Okay. But however these guys don't know how to process it is get iris. Okay. A match with local it matches equal to true it matches equal to false. Just went and changed that line and just put it in. Fixed compiled. Okay. This is fantastic. So what this guy does is he will come and say put a fingerprint with that with that rubber thing and it will start he will put a finger I mean of course this is documented. We have an FAR copy for it. Okay. This one here. Right. Okay. Yeah. Yeah. This is a gift that can never stop giving. Right. Now here is the hard part. Right. How the FAR do I tell this to the court? Who is the document verifier? Who is the document verifier? You and you make what are you want? Okay. Because somebody else bigger than you are using and you know what they were that software and you got a fingerprint also some extra fingerprint 5000 bucks and everything. Now here is your opportunity. How will you recoup your cost? Okay. You call and he says I don't know so you see that you see that wonderful federated business model being built around all this fantastic stuff. I mean it's mind blowing. So this incidentally is why I don't know this is precisely the reason why after I reported this case enrollment has been So now only the government So it's limited to 200 people? Yeah because now only the government banks all private enrollment is all private because of this case. So in case you guys wonder who's the culprit and why you guys can never get an Aadhaar without standing in the queue for like five hours you know precisely who to blame. But in this it's also you're assuming for us that the bank operator absolutely Yeah we're not done yet okay so in case you guys understand what was the original Aadhaar case it is access bank. Yes So the bank is already the bank is So what Monoglicks came on last week okay so your document verification is supposed to be done by retired government officer you know government officer who is the executive officer So as it turns out one particular doctor who is the executive officer has been verifying documents and therefore technically not authorized to do it anymore and he has just been going on verifying documents you know certifying data saying this document is genuine You and I discovered suddenly that they were all coming from someone who is retired but therefore not authorized So let's go cancel all those Aadhaar say documents are not verified but the point is what is the problem here is it fraud or is it not authorized they do different things now This could be just a retired official continue to do it as if he's not retired but bring it honestly or it could be fraud What's the difference? What's the difference? Everything And these people have no mechanism they just say everything must be fraud There is an interesting there is a Mastercard paper which says existing existing Aadhaar employment process is fraud and only banks can solve it and that was their proposition and this is what the result is now you are following that path by closing the other So they close every single private enrollment agency every single private enrollment agency and here is the interesting part Before closing they tried to move it to government premises then closed So 50,000 at any given point of time there were 60,000 private enrollment agencies they shut down every one of them after last March or May Now how many people got enrolled using those 60,000 agencies which is 1.2 billion What happened how many ghosts are there We don't know We don't know The ghost kid has been alive for close to a year we know that for sure Right Okay, so another question which then comes up is the sci-fi stuff in here What? Now you can buy the enrollment kit in the Q-curve Anyhow what is the best path about the registered devices because all these enrollment guys bought all these enrollment biometric devices and tried to register now they are all being shut down, right Now what they are doing is they are checking all those biometric devices and they are putting in Q-curve So you can basically buy them and here is the best path Are they also selling the registered keys I bet yes because standard device would not be registered and they already registered registered So I am pretty sure if I go and say Yeah, this keys enable or disable now What is this data We don't know I mean the thing is that it's a subject again so they discover this and report it Yeah Another question if anyone knows the answer to this what are your encos is when the URI decides to disable your Zilis What is the point 85 lakh disabled 85 lakh disabled 85 lakh disabled other numbers I know one known way which is fighting to promote Irma Yeah, yeah, yeah That's a document That's a document in the case That's a document in the case 85 lakh disabled other numbers Okay How many pan numbers they found their duplicates 11.2 lakhs for which the court essentially cleared pan other case Saying yeah, it is valid How many other numbers disabled 85 lakhs Okay What exactly are we talking about in this country So the Titanic is coming Okay But the only question is whether you and me are going to face the collateral damage with Titanic or the court will stop it or the court will stop it after Titanic's collapse We don't know The only question is whether you reduce your attack surface very less Dude They've worked They've worked very hard If you have a chance They've worked very hard to ensure that there is no attack surface but even linking Adar with Love Viva and in case you didn't know the latest thing even in Goa and paid sex if you want you have to get Adar Hey, the most interesting is the UP Act Right I mean for all practical purpose the attack surface is an entire life I don't think you can escape it I mean our cyber security model, threat model is long gone Question received on WhatsApp With the legal challenge to bring forth threats then how will the failures in the system happen So basically what's the iceberg? What's the iceberg? Yeah I think it's personally I think it's like a massive failure that gets covered up that's plastered all over the TV screens Yeah so personally I'm hoping disaster happens instead of a slow burn because slow burn will normalize the failures So actually I'm happy with the acceleration that means that the failure will happen Yeah the failure will happen It's just going to get more people aware of the fact that this is a broken system What can what can we do other than in discussion to make more people understand the importance of what it is Website talk about it send people to speak for me make sure you have the raw argument because lots of people keep saying what is the harm in other I think everything is the wrong harm in other because it's so broken and the only way to do this is to just talk about it as much as possible Discussion and debate discussion and debate never stop The one good thing about India is we never stop talking Right The unfortunate reality is that we keep talking about stuff that is not really relevant Interesting There was a UP based UP Aadha based marriage registration So it is like you don't need to go to government office It's an act It's a special act in UP You can enter Aadha number of two people And then authenticate them And you basically get married Pay 10 rupees Pay 10 bucks And you don't need anyone else So I have an Aadha from UP I am a resident of UP And this is only for Hindus Only for Hindus We are both Hindus Can you just give me a mobile phone Can you just give me a mobile number Can you give me a mobile number I can give you 5 minutes Now this facility got suspended This facility of Aadhaar based marriage registration is temporarily available due to change in Aadhaar policy and new marriage registration rules The process is incorporated about changes in progress and online marriage registration will be avail soon So now they shut down the surveys Shit Shit Shit There are many Many You have to worry The verse should be as infinite It is not It is not It is not But anyway there are interesting Yes Similar to this Yeah We know that Yeah So here So in case you guys don't understand the impact of it This is a reality Just talk as much as you can It may be too late or it may be not Who knows How many of you have a very hard time explaining this in your parents Oh My parents are pretty understanding They say I am mad Okay So Very very understanding Like Even trying to waste your time on this I mean do something useful in your life A lot of questions Yeah Maybe you have Somebody has encountered this scenario For the first time I mean I was against other for a long time But finally I went and applied And the application was not taken by the system That means I got the enrollment ID You said they said you come back after three weeks all that So I kept going back Every time the system will throw up an error That means you cannot receive the other packet That is the same error I used to get So even after three or four months the same error was there So finally they said you cancel that and you re-enroll it So now I am asking whether this could be a case of duplicate enrollment So if it never hit the CIDR See packet upload problems are very common So what happens is your enrollment basically gets harder And if they are never able to upload it it never hits the CIDR and hence you will probably never get a duplicate other That's the best I can answer If it only hits there you said one more basically you get duplicates If you happen to stay within outside those thresholds but if it never hits that's how it is So what happens what happened to my first enrollment It got lost It got lost It's not that it is still in the system It may go to the CIDR at a later point No Very unlikely It happens a lot There were close to 1.2 crore other enrollments that Maharashtra lost because in those days you used to send it on a physical hard disk and the hard disk got lost half day and they used to send the physical hard disk on India Post And the second question I have is some of you might have so many opportunities for those things Some of you might have Some of you might have Sairad was saying CDs are available in the pirate market with the biometrics Sorry, you are asking Yeah Second question is some of you might have got a telecom connection using your RR or let's say geoconnection or something So when they authenticate they get the details from UADI Yeah And does that detail continue your mobile number as a Of course it did it did for a while but not now Yeah till other APA other EKYC APA 2.0 it returned both email and mobile but not now from 2.1 onwards it is not It is not So for a very long time it did Yeah then the mobile number was not returned Yeah, for a long time it did but not now because people made a lot of noise saying why the hell are you guys giving this information to other people And secondly is there a requirement that when an authentication is done you should get a notification Of course you should But I did not Happens a lot OTP gets lost Yeah OTPs get lost So you can always go back and check the one that you are here It is not OTP Not OTP but the The acknowledgement was used Yeah That can also get lost Notification also gets lost If you go to the website You go to the website and log in there and see it you will be able to see it Except you can just guess that at this great at this time I was at the Jio Center There is no name just random numbers Now I am talking about somebody using it Yeah there is a website which goes and tells all the authentication that you have made You can go check that But it keeps it for last 6 months or 50 attempts But notifications You should You should get it Yeah you should Yeah you should get it if you have registered your mobile or email id is proper there You should get it You get a lot No I You said you had to use it So there is a problem I wanted to put it down like you means all of us are saying that we should avoid using Agar and all But in the practically in their life No I think what they said is if you have Agar you should use it No I think No If you have it ignore it and try to be careful Yeah use it as little as possible because there are so many leaks in this So the problem I want to put down say here is that practically it is like it is a mandate now everyday life So recently I had a very urgent job in my hometown where I needed to open and back at home So that time I only accepted biometrics to open the home It didn't even accept anything else So I had no choice there So I had to scan the Yeah this happened with Jio also where they said that they are only opening they are only giving out museums using Agar But there is no method Agar Yeah so that was a contract Even in that So yes everywhere you were there they were already giving it but for the operators it is the most convenient easy quick way and there is also the chance of prodding customers double authentication for example customers such as you who does not get SNS you won't know if both were successful or just one and that's how in Jio did that MP or somewhere there was No but I registered for this Yeah and the MP case was busted there must have been others So recently I locked I locked my biometrics from eight nine months back and I tried to use it some three months back to get a it wasn't like that and then did you unlock it No I did unlock it It did not unlock it did not it was still the same thing So that somebody said no unlocking doesn't work sometimes And here is the other interesting part right So here is the assumption pattern on biometrics which you have never covered Do you really think there is a single body part in your body that survives time No right So a permanent ID with a permanent marker doesn't really exist And so Yeah it's not modeled on truth It is not modeled on truth And so what will happen is they will keep forcing you to keep re-enrolling again and again or updating your biometrics every three or five years Okay What is the story that we heard on Karnataka Austin Five years Ten years Five years So the fact of the matter is this right your fingerprint does change over five years enough that the machine quality of the machine these guys use is not able to recognize it and say it is you So we call it as a probabilistic you sometimes it is you sometimes it is it is not you So when say biometrics in phones work like if I give a wrong fingerprint and then I give a passcode then it learns that it is actually me So it saves the new copy and then builds on So it learns from Yeah So here enrollment and authentication are two very distinct operations Okay And enrollment is fundamentally a very costly scanner It is at least what we call a slap scanner It has high resolution images and hence it is much more easier to capture your templates Okay The one that you see on the lines is basically mantra systems which is 3000, 2000 rupees 2000 rupees 2000 rupees They don't even scan the full fingerprint They basically scan part of it Okay and it is low resolution Right And every single guy puts it, puts it, puts it So there is anyway mechanical wear and tear Right So the matching is worse because matching works best See the numbers they claim as 2% or 3% failures is when the same system is being used for enrollment and authentication matches a lot matters a lot But then for these guys everything has to be cheap Got it So what they ended up doing was they gave this mantra scanner and this mantra scanner is by very nature very low quality And in image comparison template comparison quality matters a lot So what happens is even in a small change the quality amplifies it So there are known cases where even people who are not able to get it back often So that is why they call it as playing dice with probability It works So the question is does it does the chance of acceptance of the as you use it No Because they don't do learning It's not a learning system There is no re-enrollment happening every time there is a failure because think about it If it is really the case then I can become you by repeatedly trying All you need to know is other number which anyway you will be very happy to give everyone gives it Right Should we call it an anecdote? Yeah I would like to share one anecdote Through my work we were working for an AAPS based system which is Aadhaar and we were working with an I guess ASA who is authorized to have the Aadhaar AAPS which can talk to bands and we were to build a system where a common man can use it for online payments For testing the system they sent us a physical fingerprint machine but then we told them that we can't test it because our accounts are not linked and our employees will not do it they sent us their own employees fingerprint files over Gmail in an XML format imagine the possibilities and we were sent to not one person but to team email id Of course why wouldn't people who work with Aadhaar and with such sensitive systems where they themselves are dealing with the band do not know the consequences of what can happen if you share your own fingerprint data why we are not surprised so finally we should go to speak for me doting yeah and take action yeah this is what take action ask an MP to say do something about it because there are only two avenues for it okay one is legislature executor will forget about it and media is already over us whatever media that is happening is all sitting here alright thank you guys thank you and people on the livestream bye