
India’s about to hand people data Americans can only dream of - haltingproblem
https://www.bloomberg.com/news/articles/2020-01-13/india-s-about-to-hand-people-data-americans-can-only-dream-of
======
rahuldottech
When I first (mis)read the title, I had a mini heart attack, thinking that the
govt was going to hand over a lot of personal data to private companies.

Instead, it appears that they're trying to give citizens more access to and
control over their data which seems nice.

That said, the Indian government _really_ don't have a great track record of
securing citizens' data. I hope they do a better job this time.

This is the brainchild of Nandan Nilekani. He also developed UPI and Aadhaar.
The former is amazing. The latter is... controversial at best. But they really
fudged up user privacy, and essentially "tricked" millions into giving up
their biometrics and personal info - which were then leaked, stored on US
servers, etc. :(

Let's hope they've learnt from their mistakes.

More info about Aadhaar "scandals":

[1]: [https://www.firstpost.com/tech/news-analysis/aadhaar-
securit...](https://www.firstpost.com/tech/news-analysis/aadhaar-security-
breaches-here-are-the-major-untoward-incidents-that-have-happened-with-
aadhaar-and-what-was-actually-affected-4300349.html)

[2]: [https://m.timesofindia.com/city/hyderabad/tdp-app-keeps-
aadh...](https://m.timesofindia.com/city/hyderabad/tdp-app-keeps-aadhaar-
information-on-amazon-cloud/articleshow/68263120.cms)

~~~
inapis
A major problem with Aadhaar is how UIDAI has completely discounted the fact
that Aadhaar will be used by people who have zero idea about
technology/computers. "Most" of the scandals with Aadhaar has been social
engineering to gain access or clueless government officials printing the data
and putting it up publicly on their department websites.

99% of the cases I see is humans being completely inept at handling data -
most of them probably don't even realize the implications of such a central
repository of data.

Fortunately, UIDAI has made some improvements. You can lock your biometric
authentication and every request to verify will fail until you unlock for
10-15 mins. They have implemented a virtual ID over Aadhaar which can be used
for verification without handing over your original number - but here's the
problem, institutions have no idea that these numbers are valid too!

I do believe that a system like Aadhaar is necessary for India BUT govt
institutions like UIDAI cannot and should not declare their end of
responsibilities at just the technical level (which UIDAI frequently does by
claiming that data is housed in secure vaults and encrypted and blah blah). If
you build a system which will be responsible for a billion lives, you are also
responsible for teaching people safety and enforcing requirements which
minimise, if not eliminate, social engineering.

At the end of the day, you are a government institution, not a company.

~~~
jace
The technical side of Aadhaar is also _incredibly_ inept. There is several
days worth of reading material at
[https://medium.com/karana](https://medium.com/karana).

------
vorpalhex
On paper this sounds great.

In reality I suspect they've created an extremely rich single digital target
whose security isn't up to snuff if Aadhar is any indication, and the entire
country is about to have an unintentional experiment with completely open
finances.

~~~
ashwinm
It's not single. Eight Account Aggregators are already approved. Go through
the technical architecture for better understanding.

[https://sahamati.org.in/account-aggregators-in-
india/](https://sahamati.org.in/account-aggregators-in-india/)

------
JackRabbitSlim
This smells like a big wooden horse. Also are we not mentioning the very icky
bits about citizenship shenanigans happening right now[0]? The invalidating
larger bank notes just a few years prior[1], no doubt to facilitate these very
shenanigans?

[0] [https://qz.com/india/1781692/in-photos-india-refuses-to-
stay...](https://qz.com/india/1781692/in-photos-india-refuses-to-stay-quiet-
in-the-face-of-repression/)

[1] [https://www.reuters.com/article/us-india-modi-corruption-
idU...](https://www.reuters.com/article/us-india-modi-corruption-
idUSKBN1331WT)

------
achow
The entity behind it: [https://sahamati.org.in/](https://sahamati.org.in/)

 _Nandan Nilekani (cofounder of Infosys and one of the main architect of India
digital payment movement - UPI [0]) launched Sahamati (= 'consent'), a private
not for profit company, that aims to be self regulatory organisation for
Account Aggregator ecosystem which aims to facilitate financial sharing among
financial institutions with user consent._

[https://medium.com/karana/sahamati-sro-for-financial-data-
sh...](https://medium.com/karana/sahamati-sro-for-financial-data-sharing-
ecosystem-d93d0169c2b8)

[0]UPI:
[https://en.wikipedia.org/wiki/Unified_Payments_Interface](https://en.wikipedia.org/wiki/Unified_Payments_Interface)

~~~
Magodo
Would like to add the fact that India's identification system Aadhar is also
Nandan Nilekani's brainchild.

------
dragonsh
Don’t fall for this traps.

Never trust a government launched projects which try to disguise itself as
good for society and turn it into a tool against the citizens themselves.

For example India launched Aadhar for having identity of every Indian, but it
was not enough now government is working on another project called National
Population Register (which started in 2010 before aadhar was available and is
unnecessary today), which will be used to issue another identity card and it
will be at government discretion to decide who is the citizen of India (survey
question for this asks the religion or ethnicity of the person according to
rules framed by current government for NPR). It’s controversial and government
of India is repeating copy of same statement what aadhar was designed for to
determine and provide benefits to Indian citizens.

On the surface Indian government monetary agency says it will be on people’s
consent on the other hand Government of India is launching another program to
force every details of Indian citizen stored by companies like internet
service providers, google, Facebook etc. to be accessible to government agency
in India without users consent. Indeed Mozilla launched a campaign in India to
get clarity on it, as it is happening in closed corridors of power without
Indian citizens consent or knowledge.

Combine whole online history with each and every financial transaction and
credit history and give it to government agency. It will lead very quickly to
a dystopian world and there are example of governments in world already doing
it. China can ban its citizens from travelling, buying daily necessities at a
click of a button. USA can imprison anyone for even an unproven offence in
many parts of the world like the way an executive arrested in Canada or
American citizen kept in Guantanamo without trial or due process.

I hope there is a movement that government should be restricted to serving its
citizen instead of ruling and controlling them.

Based on what I have seen so far only rich and powerful with resources thrive
in autocracy, communism or democracy, for general citizens any remedy is
costly and they will suffer even if may get some relief in the end it might be
too late. If government becomes all too powerful as it is happening everywhere
in the world now, dystopian world where rich and powerful rule the rest is not
far away. (Government trying to become more powerful everywhere these days by
taking away privacy rights, asking for unfettered access to financial and
daily life, use them to restrict citizens).

~~~
sbmthakur
NPR will require a lot of demographic information which is currently not
present in Aadhar. It doesn't seem completely pointless.

------
WarOnPrivacy
This kind of lines up w/ my Unified Privacy Theory, which is: Our largest data
problem isn't privacy but disproportionate access to data.

This is made worse - btw - by privacy laws that limit access to data by you
and me but not by powerful interests, w/ a history of ruining lives.

~~~
dredmorbius
Would you happen to have any expansion of this theory posted somewhere?

I'd add a few other observations:

\- Information by itself isn't power, but is a power multiplier. Given any two
entities, and an extant power imbalance, an informational equality between the
two _still favours the more powerful_. Yonatan Zunger, chief architect of G+,
made this point eloquently rebutting David Brin's "Transparent Society"
argument.

\- Privacy alone (or analogues such as anonymity or pseudonymity) are
secondary to _impunity_ as an enabling mechansim. For the disadvantaged,
privacy and anonymity rights allow redress against the privileged. For the
privileged, it's often immunity or impunity that offers sufficient protection.
The "MeToo" movement, particularly Epstein and Weinstein cases, are examples
of a sudden loss of immunity. For international espionage and terrorism, it's
not mastermind wizardry so much as inability to effectively sanction which
enables actors, state or non-state.

Some of the arguments raised against GDPR address this -- that the powerful
will seek to have inconvenient content redacted, while ordinary citizens would
be unable to. My read is that this risk is overstated, though it's one to
consider.

The whole data-broker sector, predicated on bulk access to consolidated and
well-structured data (postal address change records, DMV, voter registration,
credit card purchases, credit scores, browser history, etc., etc., etc.) is a
case in point of what you describe.

------
javajosh
This sets up an interesting problem for those that accept time-limited data
but do not delete it in a timely manner, or surreptitiously copy, package and
sell it. How will the state detect and punish that kind of abuse?

------
sbmthakur
[https://outline.com/sRS3FJ](https://outline.com/sRS3FJ)

------
sbmthakur
Does this cut out financial aggregators? If not, will they be able to access
this system?

------
Jamwinner
You see a dream, I see a nightmare.

------
noobtube
This going to be a security nightmare. AADHAR data has already been
leaked/sold by unscrupulous vendors.

