Kiran Jonnalagadda is a geek at heart. The Bangalore based startup Hasgeek, which he co-founded in 2010, organises events to create a discussion space for other geeks to come together. If you are not a hacker, you may have not probably heard of HasGeek.

These days Kiran is better known in cyberspace for his critique on the implementation of Aadhaar, the world’s biometric identity system being executed in India.

Also co-founder of the Internet Freedom Foundation, Kiran Jonalagadda raises his concerns about data security, the biometric system and storage of Aadhaar data with Moneycontrol. Edited excerpts:

You have always said that your views on Aadhaar are personal. Does your criticism rest on moral grounds? What does it imply for the techie community?

Yes, to a large extent. As techies, we have to be aware that the software we build is impacting lives also.

If you believe that is not your problem then there is a moral issue.

It’s fine to say that the ethics of impact is not same as ethics of creation.

The system was created to do good, but it could be used for vested interests.

But that doesn’t still absolve the creator’s responsibility towards making sure that it is used right.

They claim that the system is completely foolproof and it’s safe. So are you saying there is no scope for it to be misused?

To that they say “the problems are not serious. The technology will improve.” What happens in the meantime? Crores of people who are already under the net, what happens to their data in the meantime?

My problem with authorities behind Aadhaar is that they don’t acknowledge their moral responsibility behind it.

What are your technical concerns with Aadhaar’s authentication system?

First, it is believed that Aadhaar is giving identification to people who don’t have it.

That’s not true! It is just putting it in electronic form. PAN card, Driving Licence and everything else can also be digitised. The basic tenet of Aadhaar is surveillance.

That’s why it is required to be linked to every other document.

Second, the data recorded by UIDAI is super insecure.

Hacking fingerprints is the easiest thing; there have been many recorded instances of fingerprint fraud.

Just take my phone and you will have it! You can read fingerprints on a photograph, that’s the least it takes to hack your unique ID.

Fingerprints have never been impregnable, and claiming that fingerprint authentication is secure is untrue.

Another problem is that there is no differentiation between authorization and authentication.

The act of signing a cheque is authorization. The fact that only that particular cheque was signed and no other means that I authorized only that piece of paper.

But Aadhaar confuses authentication with authorisation.

The act just states that you cannot store authentication, but where is the checking mechanism? The problem is that if the government says forgery is punishable, it doesn’t absolve the banks of the responsibility of checking if there is a forgery.

With Aadhaar, there is no way to see if the fingerprint was actually stored or not. The only way they will know is if someone points it out or the perpetrator admits to it!

Bangalore airport has now installed scanners on gates where you can just scan your Aadhaar and enter. It’s not operational yet, but it is fine as a convenience mechanism.

What’s not clear is who is keeping the data. A guard checking your ID is not keeping a record. But a scanner will. How long is it being held, and who has access to it!

There is a lot of data of citizens that banks also store, isn’t that insecure?

Banks are relatively safe because they have strict guidelines against sharing data.

RBI is very strict about it. RBI regulates them on cross-marketing based on user data.

So there is a regulator. Aadhaar act says you cannot display the Aadhaar ID numbers to the public. But it says nothing about the trading of that data, which already exists in a third party system.

A bank has provisions in place to check if a signature has been forged, and also if it has been cut pasted from a different source. With Aadhaar, there is no such safeguard.

To top it all, there is no grievance resolution mechanism. Those who vent on Twitter manage to attract attention. But what about those who cannot reach out. There are no checks and balances.

Why do you say Aadhaar is for surveillance and not preventing leakages?

It was meant to be for surveillance at the first place. If you look at the design of Aadhaar, it was built to check for cheats in the supply chain – basically beneficiaries who could take advantage of government schemes.

The basic tenet of Aadhaar assumes that people are cheats and it wants to monitor them.

Now to find those cheats blanket surveillance is the only way to go. It is not like they start monitoring after a cheating case has surfaced.

On the other hand, there have been instances where the forgery or duplication or denial of benefit has happened from the government.

That discrepancy cannot be plugged by monitoring the citizens. They say that if the beneficiary is monitored, anyone in the supply chain leading to the beneficiary can be caught.

But again, there are people with a skin condition, infants, and some elderly are automatically excluded because biometrics essentially is for people between teens and middle age.

Although, the Act says that such a person can register with the help of a guarantor.

Isn’t that a contradiction? If 100% population is not on the system, how do you catch a fraud?

What are the checks and balances government should put out in the system?

I feel Aadhaar in itself is not a bad concept. My concern is that there are no checks and balances. The mistake is that they drove it too fast.

They have taken a concept that works well for a large population and expanded its ambit to include the entire nation.

I am perfectly okay with the fact that Aadhaar, if managed with proper checks and balances, is not a very bad idea.

But they haven’t given any time for the whole concept to mature and include provisions for all eventualities. If it’s too fast you are going to make terrible mistakes.

What are the legal concerns you have about the Aadhaar program and its appeal mechanisms?

As per the Act, you cannot approach the court against Aadhaar, without the permission of UIDAI.

So they are essentially immune. Another clause says that any Aadhaar official acting in good faith is exempt from any violation.

So a leak is fine if the official didn’t mean to leak it! They are not liable under the Act!

So when CIS report pointed out that 200 million numbers are already in the public domain, they penalised CIS with three legal notices.

It got them worried, and pursued a denial because repealing all of those numbers will be a living nightmare.

According to the Act, if Aadhaar info is compromised, they will give you a new number.

It will also cost UIDAI loads of money. By arm twisting agencies such as Centre for Internet & Society, they are sending a warning signal to everyone that if you speak against it, you will be penalized. So in that situation funds also dry out.

They are sitting on this problem and wondering what to do, so let’s ask people who are reporting this, to shut up!