“There is no need for an Aadhaar card whatsoever. This is a solution in search of a problem. And it is completely unthought out, very poor system designed if I may say so,” says Maj. Gen. (Retd) S.G. Vombatkere, one of the petitioners who has challenged the Aadhaar Ordinance, now Aadhaar Amendment Act, before the Supreme Court.

His is the writ petition that the Supreme Court has sought to include in the Facebook transfer petition case in which Facebook wants four petitions which deal(t) with Aadhaar-social media linkage in three high courts to be transferred to the Supreme Court.

In a conversation with MediaNama, Vombatkere explained why general surveillance of the Indian population through traceability is a bad idea, the lack of cybersecurity in India, and why he opposes Aadhaar.

‘Traceability is a violation of privacy’

On how traceability is a violation of privacy: “WhatsApp and Facebook and Google and all that are trying to get amongst the subscribers of social media so that they can sell your data. Today, data is the new oil. Why should I give my data to WhatsApp or Facebook or anybody? … [A]ll these things, including public surveillance and targeted surveillance, are already excused that they are protecting you from terrorists. So the government is saying that WhatsApp should be able to tell me, if I ask WhatsApp, who is the source of this particular message or this particular picture or whatever, then they should be able to find out and WhatsApp saying we don’t know how to do it is nonsense. They know how to do it.”

“They [the social media companies] know very well how to do it but the point here is that this revealing of data by WhatsApp, or by Facebook or whoever to the government is again a violation of privacy.”

On whether traceability, as is being argued in the Madras HC, should be enabled or not: “No, no. I am not saying that [traceability should be enabled]. I’m not saying that. Traceability, what all are the ramifications of this traceability are, I am not aware. But the point is that WhatsApp, etc., they all know how to trace your and my message. This conversation between you and me is traceable. They know very well how to trace it if they need to trace it.”

On the trade-off between citizen’s privacy, and crime prevention and law enforcement: “Then you have got to have targeted surveillance. People who are suspected to be up to some criminal activities, then you find out their identities and trace their calls. Don’t do general surveillance, untargeted general surveillance.”

On the need for a data protection law: “Data protection law is very, very important. … We have got the Right to Information Act, we have got so many other acts, like the MNREGA Act, and so on. And now these acts are being watered down deliberately by this government and previous government also. I am not pointing my finger at any one government. Even in the past, the RTI was deliberately watered down. … So you can have a data protection act and then you can have rules on that act which effectively nullify everything that the act issues. The devil is in the details.”

On why Aadhaar is a bad idea

Threat to national security as CIDR built by foreign vendors: “[T]he national security is compromised because the Central ID Repository, or the CIDR … was created by giving the contract to two foreign agencies, one being L-1 Identity Solutions which [had] later been purchased by [the then] Safran Morpho [Morpho, the company that owns L-1 Identity Solutions, is now called IDEMIA and is a French multinational company]. Now L-1 Identity Solutions is a US firm, but the board of directors of L-1 Identity Solutions are all members of the intelligence community. They have built the architecture of the CIDR and they know how to get into it even after they have handed it over to the UIDAI. The integrity of the database has been in question right from the time of formation. It is not as though we do not have competent IT engineers and experts in India who could have done it. We don’t understand what the reason is for going to an intelligence community connected foreign vendor to create the CIDR.” Lack of data silos makes the giant Aadhaar database more vulnerable: ”[With] individual databases, or data silos as we call them — whether it is the PAN or your bank account or whatever — if a hacker has to get into these databases, [s/]he has to hack into every single database separately. But when these are linked with Aadhaar, by getting [or] hacking into the Aadhaar database, the CIDR, it is possible to get into all the databases concerning that particular individual. It makes it easier. It gives a single point entry to your and my personal data which includes biometrics, demographics, everything. … [S]ince the Aadhaar database, the CIDR, is the country’s largest database, [with] some 1.2 billion people enrolled into Aadhaar, it means that it will be a blow to the sovereignty of India if the CIDR is hacked into.” Personal data is potentially compromised as it is entered into CIDR: “[B]efore it goes into the CIDR, the data is open source literally because the people who are enrolling the population into Aadhaar, they have to upload that information into UIDAI CIDR. So for 24 hours, my data, your data is lying with the bloke who has not been checked by the government, or who is not a government employee, who is not under the Official Secrets Act, [s/]he has go no security liability whatsoever. Whether [s/]he uploads the data and does not delete it, or whether [s/]he sells that data, or [s/]he saves that data somewhere else, or it is taken by somebody else and [s/]he is not responsible — the point is that the data is lost.” De-duplication processes are futile: “[CIDR] talks about avoiding ghosts or duplications [through] a de-duplication procedure. Now that doesn’t work because the authentication of the fingerprints, for example, does not work with old people or people who do manual labour because their fingerprints wear out. The de-duplication is not possible. You get a whole lot of false positives. The system itself is faulty.” Aadhaar is not a proof of citizenship, nor does it effectively establish identity: “[T]here is the question of people, some respectable citizen identifying a person who does not have documentary proof of his[/her] age or his[/her] address. And the Aadhaar is also not a proof of citizenship. It is only a proof of residence. If you have more than 182 days of residence in India, you can apply for an Aadhaar card. And Bangladeshis and Pakistanis have been found with Aadhaar cards. … That is used by terrorists and anti-national elements to get an Aadhaar card. Based on the Aadhaar card, there have been at least three cases where people got their passports. … And they have been arrested at the airport and all that.” Privacy: “Then there’s the privacy issue, of course.”

On whether his opposition to Aadhaar is premised on implementational problems, or if he is on principle opposed to it: Aadhaar is not okay because it is not necessary. Your voter ID card has got … 10 alpha-numeric characters. And you … could have converted it. … There are existing identification systems, several photo identification systems exist. There is a PAN account, there is a ration card, there is a bank account number and there’s the EPIC, the Elector’s Photo Identity Card.”

On how the Voter ID is a better alternative to Aadhaar: “Now if you look at the photo identity card, it is a unique 10-character alpha-numeric string and the EPIC provides proof of citizenship. It includes the photograph, it gives the full name, full address, sex, date of birth, and father’s, mother’s or husband’s name, okay? It provides a unique identity with several details. Only the biometrics are not there. So this voter ID card could have been legally extended to include biometrics. … [I]n the case of the EPIC, [number of variations] will be much more than [with the Aadhaar number] because it has 4 alphabetic characters followed by 6 numerical characters. It could easily provide more variations than the Aadhaar number. It could cater to 1.2 billion, or even a 2 billion population. Why was this just not considered?”

On how the Aadhaar system actually benefits only the IT industry: “The reason is that Aadhaar provides a lot of benefit to the IT industry, to the software and the hardware industry. … [W]hen you have Aadhaar, and there is going to be authentication at 1 million places all over India, then there are going to be at least 1 million fingerprint devices for you to put your fingerprint [on] to authenticate your identity. It is going to provide a lot of business to the IT industry, to broadband, to your communications so that authentication can take place, a million people can authenticate at the same time, in the same 10 seconds or something. Then there is going to be replacement of those machines. … There’s no doubt that there are advantages but the point is that the advantages go to the business, not to the people. The people lose their privacy. And the corporations get the advantage of making much more money. And losing your privacy today is going into surveillance. It is going into untargeted surveillance.”

On how the then Aadhaar Ordinance, now Act, creates backdoor access for private parties: “Yes, yes, backdoors are [created in] … the whole of India, including the Indian Army, Navy and Air Force, … and in the whole Defence Ministry, the whole Defence Bureau, the Home Ministry, every single department of the government, it’s your laptop and my laptop. All have motherboards which are purchased from foreign vendors. And there’s no guarantee. And now we are cutting a deal with China for Huawei company. How do you know that they haven’t put a chip or a backdoor into your motherboard of your machine? How do you know that there are backdoors in the machines of the UIDAI?”

“Our cybersecurity, our cyber defence, is zero. Z-E-R-O. Zero. Zilch.”

On lack of cybersecurity in India

On how, despite National Cyber Security Coordinator, Lt Gen. (Dr) Rajesh Pant’s claim that India will release a Cybersecurity Strategy in 2020, India’s cybersecurity is still woefully inadequate: “Policy is one thing. Implementing the policy is another thing. And that’s going to take time. You are working on policies, [but] in the meantime, you are compromised. Today, if a Chinese hacker, sponsored by the government of China hacks into, say, your banking system, [s/]he can shut down your baking system and close down your economy for three days, by DDOS. You know [distributed] denial of services. Today, you have got no cybersecurity. We don’t even understand that there is a problem. Only when you understand that there is a problem you can begin to solve the problem. And UIDAI and Aadhaar provide a very convenient lever for any anti-national, anybody to screw the country.”

If, the Aadhaar database, should be part of the critical areas that is accorded extra layers of protected, as explained by Lt Gen. (Dr) Pant: “I am sure that General Rajesh Pant knows that every system is safe until it is hacked. That’s all. If a teenager can hack into NSA, CIA in the USA, what makes you think that they can’t hack into CIDR? Come on, these chaps live on a different planet.”

Dive Deeper: Facebook Transfer Petition | WhatsApp Traceability Case