Hacker News new | past | comments | ask | show | jobs | submit login
India’s about to hand people data Americans can only dream of (bloomberg.com)
161 points by haltingproblem 8 months ago | hide | past | favorite | 18 comments

When I first (mis)read the title, I had a mini heart attack, thinking that the govt was going to hand over a lot of personal data to private companies.

Instead, it appears that they're trying to give citizens more access to and control over their data which seems nice.

That said, the Indian government really don't have a great track record of securing citizens' data. I hope they do a better job this time.

This is the brainchild of Nandan Nilekani. He also developed UPI and Aadhaar. The former is amazing. The latter is... controversial at best. But they really fudged up user privacy, and essentially "tricked" millions into giving up their biometrics and personal info - which were then leaked, stored on US servers, etc. :(

Let's hope they've learnt from their mistakes.

More info about Aadhaar "scandals":

[1]: https://www.firstpost.com/tech/news-analysis/aadhaar-securit...

[2]: https://m.timesofindia.com/city/hyderabad/tdp-app-keeps-aadh...

A major problem with Aadhaar is how UIDAI has completely discounted the fact that Aadhaar will be used by people who have zero idea about technology/computers. "Most" of the scandals with Aadhaar has been social engineering to gain access or clueless government officials printing the data and putting it up publicly on their department websites.

99% of the cases I see is humans being completely inept at handling data - most of them probably don't even realize the implications of such a central repository of data.

Fortunately, UIDAI has made some improvements. You can lock your biometric authentication and every request to verify will fail until you unlock for 10-15 mins. They have implemented a virtual ID over Aadhaar which can be used for verification without handing over your original number - but here's the problem, institutions have no idea that these numbers are valid too!

I do believe that a system like Aadhaar is necessary for India BUT govt institutions like UIDAI cannot and should not declare their end of responsibilities at just the technical level (which UIDAI frequently does by claiming that data is housed in secure vaults and encrypted and blah blah). If you build a system which will be responsible for a billion lives, you are also responsible for teaching people safety and enforcing requirements which minimise, if not eliminate, social engineering.

At the end of the day, you are a government institution, not a company.

The technical side of Aadhaar is also incredibly inept. There is several days worth of reading material at https://medium.com/karana.

> This is the brainchild of Nandan Nilekani. He also developed UPI and Aadhaar. The former is amazing. The latter is... controversial at best.

UPI is one of the shadiest thing ever. A non profit whose owners are unknown built a suite of technologies and UPI was one of them. I think they did not even build it, it was built by some for profit company and non profit was a front to pimp this idea to government. When India went through the horror show of demonetization the government forced all the banks (most of which I government owned) to implement UPI, these banks who can not develop a webpage without getting their panties in twist suddenly had UPI stack working for them within few weeks (India's largest bank is SBI and their homepage is named mypage.htm, they do not allow ' $ and " in their passwords because they are "hacking characters").

Some people who work with the non-profit Indiastacks were in bay area recently trying to earn some silicon valley creds to pimp this to African countries.

UPI is great and works well but I am not sure the backstory is clean.

On paper this sounds great.

In reality I suspect they've created an extremely rich single digital target whose security isn't up to snuff if Aadhar is any indication, and the entire country is about to have an unintentional experiment with completely open finances.

It's not single. Eight Account Aggregators are already approved. Go through the technical architecture for better understanding.


This smells like a big wooden horse. Also are we not mentioning the very icky bits about citizenship shenanigans happening right now[0]? The invalidating larger bank notes just a few years prior[1], no doubt to facilitate these very shenanigans?

[0] https://qz.com/india/1781692/in-photos-india-refuses-to-stay...

[1] https://www.reuters.com/article/us-india-modi-corruption-idU...

The entity behind it: https://sahamati.org.in/

Nandan Nilekani (cofounder of Infosys and one of the main architect of India digital payment movement - UPI [0]) launched Sahamati (='consent'), a private not for profit company, that aims to be self regulatory organisation for Account Aggregator ecosystem which aims to facilitate financial sharing among financial institutions with user consent.


[0]UPI: https://en.wikipedia.org/wiki/Unified_Payments_Interface

Would like to add the fact that India's identification system Aadhar is also Nandan Nilekani's brainchild.

Don’t fall for this traps.

Never trust a government launched projects which try to disguise itself as good for society and turn it into a tool against the citizens themselves.

For example India launched Aadhar for having identity of every Indian, but it was not enough now government is working on another project called National Population Register (which started in 2010 before aadhar was available and is unnecessary today), which will be used to issue another identity card and it will be at government discretion to decide who is the citizen of India (survey question for this asks the religion or ethnicity of the person according to rules framed by current government for NPR). It’s controversial and government of India is repeating copy of same statement what aadhar was designed for to determine and provide benefits to Indian citizens.

On the surface Indian government monetary agency says it will be on people’s consent on the other hand Government of India is launching another program to force every details of Indian citizen stored by companies like internet service providers, google, Facebook etc. to be accessible to government agency in India without users consent. Indeed Mozilla launched a campaign in India to get clarity on it, as it is happening in closed corridors of power without Indian citizens consent or knowledge.

Combine whole online history with each and every financial transaction and credit history and give it to government agency. It will lead very quickly to a dystopian world and there are example of governments in world already doing it. China can ban its citizens from travelling, buying daily necessities at a click of a button. USA can imprison anyone for even an unproven offence in many parts of the world like the way an executive arrested in Canada or American citizen kept in Guantanamo without trial or due process.

I hope there is a movement that government should be restricted to serving its citizen instead of ruling and controlling them.

Based on what I have seen so far only rich and powerful with resources thrive in autocracy, communism or democracy, for general citizens any remedy is costly and they will suffer even if may get some relief in the end it might be too late. If government becomes all too powerful as it is happening everywhere in the world now, dystopian world where rich and powerful rule the rest is not far away. (Government trying to become more powerful everywhere these days by taking away privacy rights, asking for unfettered access to financial and daily life, use them to restrict citizens).

NPR will require a lot of demographic information which is currently not present in Aadhar. It doesn't seem completely pointless.

This kind of lines up w/ my Unified Privacy Theory, which is: Our largest data problem isn't privacy but disproportionate access to data.

This is made worse - btw - by privacy laws that limit access to data by you and me but not by powerful interests, w/ a history of ruining lives.

Would you happen to have any expansion of this theory posted somewhere?

I'd add a few other observations:

- Information by itself isn't power, but is a power multiplier. Given any two entities, and an extant power imbalance, an informational equality between the two still favours the more powerful. Yonatan Zunger, chief architect of G+, made this point eloquently rebutting David Brin's "Transparent Society" argument.

- Privacy alone (or analogues such as anonymity or pseudonymity) are secondary to impunity as an enabling mechansim. For the disadvantaged, privacy and anonymity rights allow redress against the privileged. For the privileged, it's often immunity or impunity that offers sufficient protection. The "MeToo" movement, particularly Epstein and Weinstein cases, are examples of a sudden loss of immunity. For international espionage and terrorism, it's not mastermind wizardry so much as inability to effectively sanction which enables actors, state or non-state.

Some of the arguments raised against GDPR address this -- that the powerful will seek to have inconvenient content redacted, while ordinary citizens would be unable to. My read is that this risk is overstated, though it's one to consider.

The whole data-broker sector, predicated on bulk access to consolidated and well-structured data (postal address change records, DMV, voter registration, credit card purchases, credit scores, browser history, etc., etc., etc.) is a case in point of what you describe.

This sets up an interesting problem for those that accept time-limited data but do not delete it in a timely manner, or surreptitiously copy, package and sell it. How will the state detect and punish that kind of abuse?

Does this cut out financial aggregators? If not, will they be able to access this system?

You see a dream, I see a nightmare.

This going to be a security nightmare. AADHAR data has already been leaked/sold by unscrupulous vendors.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact