Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles.
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

========================================================================



 So if you were here for the previous talk,
 you know that it was overwhelmingly depressing and it dealt with, you know, the CIA illegally spying on people and Julian Assange being under constant surveillance. And you think it cannot possibly be worse, but it can!
 Because our next speaker is going to tell you about systems for collection of biometric data and digital identities, and how they can potentially make lives worse, not just for dozens of people, but for hundreds of millions of people, or billions of people.
 So let's hear it for Kiran Jonnalagadda!
Yes: "Unpacking the compromises of Aadhaar and other digital identities inspired by it"
Kiran is the founder of Carana Projects, an organization examining identity programs. So he's going to tell us about the most depressing thing you're going to hear in this room today. Thank you. Thank you Kiran.
Kiran: Thanks, everyone! I'm glad to be here.
So let's get started. As always, these things start with an origin story. So in the beginning, we did not have identity cards. Everybody knew you by your name, or by your face.
And then things got a little complicated. And we got ID papers. And before long, this was a meme. Where are we? Come on. Technology doesn't like working. It doesn't want to work.
Yes. So we are hackers. We like to think all problems can be solved by hacking.
And a decade ago in 2009 in India, some of our kind looked at this ID paper problem and thought: There has to be a better way.
And why do papers as have a life of their own? What happens if you lose your papers? Do you not have identity anymore? What happens when papers are confiscated? Does that change who you are as a person? And how do you think of this in a better way?
And so for inspiration let's go back to the voyager spacecraft. When the voyager spacecraft left earth for outer space, it carried this image on it. Now, this is the Aliens edition of showing ID papers. "Who are you? – We are humans."
This is good for the space. Then why can't we do something like this on earth? So these people started asking: Why do you need to see my I.D.? You can see me. My body is my ID.
So this is nice, but bodies can go online. And so you need to know somehow extract the soul of a body and take it online. And this is not an idle reference; This is, in fact, how they think about it.
And this is the statement that they make explaining how they think about this, that your soul, your Atman, can be uploaded into the cloud and then exists online.
And how do you do this? Right. The approach that they took up was to say "Collect all your biometrics". They take your photograph, they take your fingerprints, all ten fingers, they take two iris scans.
And they give you an Aadhaar, which means "foundation", which is supposed to be the foundation of the rest of your life. This is quite literally now how you go into cyberspace, in their vision.
Now, if they want so much data from you, what more could they possibly want?
And this is something that worried the judge of the Supreme Court of India, who went on to ask "Well are you going to do this next?".
At this point, you would to wonder, is this satire or is it science fiction? Well, look, the database they built has 1.25 billion entries in it. And this is how they announce that number: with a Christmas greeting.
So where do they keep this data? As computer programmers, we often struggle to explain technical concepts to a non-technical audience.
And this is sort of what happened in the Supreme Court of India, when a case against Aadhaar was being heard last year: The attorney general, Mr. Cricket Venugopal, who was 87 years old at the time, explained data storage to the justices of the Supreme Court, explaining that "it is stored behind in a complex that has walls that are 13 feet high and five feet thick. Therefore, it is safe."
*laughs*
So as you can expect, the public found this very funny. And since then, 13-foot-wall is a meme in India.
What are you doing? Well, it's behind a 13-foot-wall, so nothing to worry about.
But this isn't about jokes. So we can go back to Arthur Clarke who made this statement, you know, that "any sufficiently advanced technology is indistinguishable from magic". Your average person does not understand how technology works. So to them, technology is magic.
And this essentially then means that, we hackers, who understand technology, are society's magicians. You got a magic wand, you wave it, and problems are solved.
And this is how people think this is supposed to work. But we know better. We actually know how technology works.
And we do – We do know when technology does not work. And it is important to us to call it out.
And that's what I'm here for today: To explain to you why this technology does not work and what we need to be doing about it.
So let's start off to the basics. What does Aadhaar actually collect?
This is their database structure. They collect biometrics and they collect demographics. In the biometrics, they classify them into two components:
The core biometrics, which are your fingerprints and iris scans, are considered extremely confidential data, and will never be shared. That's the mandate that they offer.
But your photograph, which is also biometric, can be shared, because it is, after all, what goes into an identity card.
The other part is the demographics. They collect your name, your date of birth if it is known, a lot of people in India do not know when they were born, your gender. You can declare yourself as transsexual, that's accepted in the Aadhaar system. And then they collect the postal address. And this information is what you submit when you enroll.
Your biometrics are then sent for deduplication against the entire database, so there are a billion plus records in there. If you enroll today, they will compare your biometrics with every single record already in the database to confirm that it's not already into it.
Now this is a process that takes roughly about 45 days. So that's how long it takes for them to confirm that you are a new enrollee, and you know have an Aadhaar number that is guaranteed to be unique.
And anybody can apply. The only requirement is that you physically present in India. The law says you have to be there for 180 days, but nobody checks. So you can just walk into any other enrollment center, sign up and you would have an ID.
Though the number that is assigned to you is sent you by post. You do not get notified online, and the letter that they give you, it looks like this, is essentially the way they confirm finding that your address is actually real. Because if this was your address, you're supposed to see the card and therefore your proof of address is confirmed.
This, as you can expect, is a serious problem for migrant workers, who cannot guarantee where they are going to be when the letter arrives. But we'll get to that later.
So the APIs are available. There are three basic APIs:
There is a Demographic Identification API, which is unfortunately mistakenly called an authentication API, even though it's not.
In what you do with this API is, if you're calling the API, you submit and Aadhaar number and you submit a piece of demographic information, like you say "This Aadhaar number and this name, do they match?". And you get a yes or no answer. You do not get any other information back.
Or you can do this with a fingerprint authentication: You actually upload a scanned fingerprint and Aaadhaar number and say "Do these things match?" and you get a yes or no.
Or if you cannot take a fingerprint for whatever reason, you can ask for a password to be sent to the phone number that has been registered, and you get a 6-digit number, give it the number and the Aadhaar number and say "Do to they match?". And then you verify that somebody gave you the right one-time-password and therefore you authenticated into that account.
Of three of these APIs do not give you any information from the database. Except there's another one called the "Electronic Know Your Customer" (KYC) Database, which is used for ID checks for institutions like banks, where you do get the information back. But we'll get to that again later.
Now, if you take just this minimalist API, see: Very little data collection apart from biometrics, very little demography collection, and nothing is ever written back outside of the KYC API.
So on the basis of this minimalism, the Unique Identification Authority of India (UIDAI) claims that it cannot be used for surveillance, because it does not know anything. This is a public claim that they repeatedly make.
Except for one little detail. The Aadhaar number itself is now a universal foreign key, because that's what you use to authenticate with Aadhaar into some other database.
And who runs those databases? As it turns out, its the government. Most of them are by the government. So, if you have a government that is really interested in surveillance, and a department of the government runs an ID program, which it claims cannot be used for surveillance, what should the government do when it really wants to use it for surveillance?
Well, they make it mandatory for everything. And that gets you a situation where Aadhaar is officially voluntary, but in practice mandatory. Which leads to the next meme in India: "Aadhaar is voluntarily mandatory."
So let's look at what is mandatory for. It is mandatory to collect any welfare benefit. It is mandatory if you want to pay tax, or rather, pay – file your tax returns. I mean, nobody will ever do that. See? We will not take your tax money.
To file your tax return, you need Aadhaar. If you do not earn enough to file taxes, and you collect welfare, you need Aadhaar.
So that's like everybody is covered. To get a birth certificate for a newborne baby, you need an Aadhaar for the baby.
To get a death certificate for someone who has died, you need an Aadhaar number for the person who died.
If you want to get married, well, both parties have to provide an Aadhaar number.
At this point, it's like: What's left? Who is it optional for?
Now, the death certificate part is interesting: How do you verify the Aadhaar number of a dead person? You can't take the fingerprints. I mean, the dead can't consent. Apart from the fact that technology would stop working once the body gets cold.
You can't send a one-time-password to a dead person's mobile phone, because that's indistinguishable from theft. My phone has been stolen and somebody declared me dead. I mean, is that acceptable?
So, they in fact, do not have any authentication for dead people. Someone's dead. You can get a death certificate without providing an Aadhaar number and, well, they didn't sign up for Aadhaar in their lifetime.
So what do you want to now? You submit any random number. Sometimes you submit your own number, sometimes a coroner submits their number.
And so now what you get here is your first instance of a database, that is supposed to be a biometrically secure and authenticated, completely failing to do its purpose, because this is a use case that's completely not been considered.
And this is not unusual. The APIs I just described require a license. That license is almost impossible to get.
So what do most people do? Well, they just take an Aadhaar number and put in the database. They don't bother to take anything about it.
So what part of happens here is, in the implementation of Aadhaar, there is this recurring confusion between three very different concepts: identification, authentication and authorization.
The fact that you can accept my ID and confirm it as legitimate is not the same thing as confirming that I'm the older of identification, and is not the same thing as me saying "I'm okay with you doing something in my name".
These are three different things. I'll give an example of where this can go massively wrong.
In 2017, the telecom regulator issued an order, asking telecom companies to authenticate all of their customers to make sure that they were no SIM cards issued to people that they do not know who they were issued to.
So they forced an exercise across the country, asking telecom operators to go find their customers and get them to authenticate with Aadhaar.
Telephone companies have become so big in India that they're turning into banks. And so this happened with one of them. And after this exercise, a lot of people started complaining that they were not receiving welfare benefits anymore.
I mean, you authenticated your phone connection and your welfare stopped. What happened? So this is turned to a bit of a scandal. And eventually we discovered what had happened.
All of them had opened new bank accounts that they did not know existed, and the welfare money was going to the new bank account.
Here is how much the actual fraud was, and this is just one telecom operator: The telecom operator had obtained a banking license, and they were desperate for customers. So when you went to authenticate your phone connection, they used that authentication as authorization to open a bank account and reroute your subsidy money. And you would not even have been aware of that.
And so the scam essentially stole 1.9 billion rupees from 310,000 individuals, for one telecom operator alone. I think the number is wrong: It's not 310,000, it's 3.1 million. I'm sorry, I'm off by one 0.
So, How do you make a mistake this fundamental in your design?
And for this year to go back to what the attorney general, now the same day that he said that it's protected by a 13-foot wall, he also went on to explain what the whole point of Aadhaar was.
And as you can see, the assumption made in Aadhaar is that the individual is fraudulent, unless they prove that they are not. That is the fundamental design assumption of Aadhaar.
So what it has essentially done is that, it has really carefully replaced your rights as a citizen with privileges, granted by the state for good behavior. And that should have been a violation of the Constitution.
It takes people a while to realize that this is a really sutle change that they made, that you were entitled to welfare under the Constitution of India, and it was the state's responsibility to give it to you if you deserved it.
But what they did was flip it around and say "You have to be the person who proves your legitimacy to receive what is actually due to be you".
And then they have a term for this: They call it the "self-cleaning database". This is a reference I found in a book. The first time I found an expression of how they thought about this.
So essentially, for the state to hold you up to your rights, requires considerable resources on the part of the state. And if the state is running a budget deficit, they're not going to deliver on your rights as they're supposed to.
And this is the fundamental problem of most developing economies, that you may have rights, but the state doesn't know how to give it to you because they're lacking the capacity
So what Aadhaar does to solve the problem is to say, well, if the state can't do its thing, you must do it as a citizen. This is your duty as a citizen now to behave like a good citizen, and show to the state that you are keeping your data clean.
This is not a wayward reference. While this is an author in a book pointing this out, in fact, this is how the state explains this in the parliament of India: "The Aadhaar system has a mechanism of self-cleaning the data during course of time".
So what happens when you interest people like this? If you insist, that to collect your subsidies, to collect your rations, which is food, that your rationed food, if you want to collect it, you must authenticate biometrically, and the technology does not work for whatever reason – your fingerprints don't scan, there is no cell phone connection, something else has gone wrong –, what do you do?
Well, it goes to bizarre extents. This is a new story, where a remote village in India did not have a good mobile connection. But somebody discovered at the top of the tree there was an Internet connection. And so they put a fingerprint scanner on the tree. And now you've climb up and put your finger there, and only then you're given food.
This is one example, but obviously there are lots of these. So what happens if you can't do this? Well, you just die.
This is a compilation of reports of how many have died because the technology failed.
These numbers have been growing. Fortunately, last year, the Supreme Court insisted that, if the technology doesn't work, it is not the citizen's fault, and you must provide an alternative.
And I don't know what the current numbers are and I don't expect them much better than this.
It's probably as a dismal as it is, because the state really has no interest in upholding rights.
So ironically enough, the database design has no feature for reporting a death. The official FAQ says "Somebody you're related to has died, how do you reported it? – Well, we don't know how to record that, so just ignore it."
So what happens to dead people?
We started off the talk with how your soul, your Atman, is uploaded into the cloud. As it turns out, now you become a ghost in the system and you continue to exist as a fictional entity in a database because they do not know how to record that you died.
This year, he has a list of possibilities and problems that arise out of the fact that they don't not not recorded it yet.
So why are they doing all these things? And the logical purpose, you know, what is it supposed to do? It's supposed to fix a corruption problem in verified distribution by ensuring subsidies are not misreported and delivered to someone who did not deserve a subsidy.
So they really do this. And this is a blind manual from 2014. Here's an extract. And the basic idea that is part of the training for government employees is that you must record that number for every person in your database. So if you've got like 100 million welfare delays and welfare recipients, you are required to collect a hundred million other numbers. How do you do this? 1 You can go door to door and collect everybody's numbers or you can do what's called an inorganic seeding and use a term seeding to describe the act of collecting other numbers. So we have what's called an organic seeding where the beneficiary comes to you and s
ays, here's my num
ber. And then they had the inorganic seeding where you take it without their consent. It's in the manual. So they also claim this is foolproof because beneficiaries were claiming benefits in the names of others. Such persons will not be able to authenticate themselves after your supposedly biometric authentication before you take their name in the database. But when you're doing it inorganically, you're not doing a biometric authentication. And so what happens then is they also point out that it is possible for the Goldman employee to get it wrong and they just no possibility of life. So essentially thumbs up to the state, comes down to the citizen. That's a design. And of course, bullying a person to complain is not the same thing as technology that actually works and fraud exists as a violation that technology itself. Here's a case where an other number was issued by Gordon. And the letter was printed. It was dispatched. And the postman had written it saying, I did not know better to deliver this. So how did this happen? As it turns out, the hackers who built this were so proud of their biometric data application. Completely forgot about document verification. And you can put it again with his fingerprints and upload a picture of a guard or a dog or whatever it is. There have been other numbers issued because trees, two guards and nobody takes those documents. You can be anybody you feel like. You can also get it on it. But not something Obama takes because. But there are people who don't have fingers. Oh, we're gonna have ice water was ice one scan and what you do with them. So in your technical design, you offered a biometric exception. All it requires is an enrollment agent who is willing to accept that you have an exception and must fit in the system. How many cases of fraud have happened using the exception route? Nobody knows. Out of the one point to five billion enrollments of the claim. How many of these are fraudulent? Nobody knows because nobody checks t
hese documents. You can get a document the name of forgot if you like. You know, it gets even more bizarre. So this is from a news report and this news report, really community publish the other number itself, which is at play, digit number up on top. The other numbers are supposed to be confidential, like Delta credit card numbers. If you had the number, you can claim to go and reach out to someone. So you do not publish a number in public. So this went out in the press and someone is built on this and got himself a gas connection with subsidies. So Lord Hanuman, the guard has an other number and also buys cooking gas from the state. So that's when I could just go on and on these stories, like any manner of fraud you want. It's in the system, it's been exploited. And the ultimate prize, obviously, is if you can steal biometrics itself and that too has happened. So this is a case in the student with the police where the police found a gang trading in stolen biometrics. There's a little bit of side studio with there. You know, where at the top of that refer to them as a gang. And then below they become hackers. And this shift in usage is not innocent. They use gangs to refer to low intelligence. Thugs are operating on the street. And then they use the word hackers to refer to people doing a high level act. In this case, this pipe became an extremely interesting story for us to investigate because we discovered how bad the endorsement software itself was. When you enjoy, the employment agent is required to first authenticate themselves and then accepting of indication on behalf of the individuals trying to get enrolled and the enrollment agents I.D. used to ensure there is a quality check. So you know this fraud. You know who was the source of the fraud? It turns out that the enrollment plan is big Gonzalo and a bunch of dogfights and authentication. Morning is a dolphin. If you don't want him to get you to replace the jar, file with something else or offer the same E
PA but does not authenticate. And that's it. You enjoy. That's the quality of the software. So when you bring these issues up with the USDA, this is what they do. They had the Ministry of Denial. Every single time you report a story like this and say we have discovered a data breach, you discovered a vulnerability, we have discovered something going on with this e-mail, the data that we have in our database is safe. Is your copy that's studying? It's effectively, if the CIA is the central identities repository and the CDI remains safe and secure. Nobody has managed to break in. Nobody can use your other number without authentication. Official response every single time you report a problem like this. It's gotten so bad that the former boss of UAE is a man named Ramsey Sharma, who is currently the chairman of the Telecom Regulatory Authority, issued a public silencing hack me. I guarantee you you cannot. No, this is incitement to a criminal act. It is also a violation of the law to publish or not that no. But he's the boss. He does it. Nobody says anything to him. You know, it's a statement of his privilege more than anything else. So he went on to promise that he will not take action against anyone who hacks him. But how the hell does a private citizen offer you immunity against a criminal act? So obviously, nobody took him on and he went on to declare victory and all he could do is make cartoons. Yes, we did. This literally was the only way to respond to a provocation like that. So once again, you stop and ask, how is it possible for such utter incompetence to commodified democracy? I mean, democracy is supposed to have checks and balances that prevent this kind of thing from happening. How did this happen? And one way to understand it is maybe there was no way would refer to it at all. Maybe it was never about giving people identity. Maybe it was always about the state wanting to make it convenient to identify people. And once you look at the timeline, if either m
an did this project come from, how did how did you create a project that goes on to enroll a billion people? I mean, it can't happen just because people who voluntarily came and said, I love it. I'm signing up now. It had to be forced on them. What forced them to do it? So the logic timeline is just completely apart from where this came from. And it goes back to 1999. That was a year when India went to war with Pakistan or with a conflict in a region called Corrigan in the state of Jammu and Kashmir. And what the government of India figured is some people from Pakistan came into India. Passed off as Indian citizens and caused this to happen. And so you can't let this happen, you can't have non Indians wandering around the streets of India. How are you going to stop them? Well, so the government's solution was, well, we just want to integrate every single resident of this country and find out that Indian or not. So the call is tragic. The national population registered. It was meant to be a database of every single citizen of India. This is after the 1999 incident. Not recently. And then they had a second project called the National Registry of Citizens Radio. Take the NPR data and go back and interrogate everyone and see. Are you Indian or not? With all one point of our 120 billion people. And then the lost elections. So 2004, we lose elections. The project basically doesn't move forward and the new government appoints a technocrat who gives it a new marketing spin saying, look, this is not about surveillance at all. This is about welfare and we want to make people's lives better. And he goes on to create a fairly fantastic media profile to the point where The Economist does PR for him. You saw what was wrong with other everything that goes wrong. And this is The Economist last week essentially saying, I think I should import this from India. It's economist. You can look it up. So you have one PR campaign running like this. How it's all for well-fed and you had the 
government that sponsored this PR campaign who went on to lose elections again. And the party that additionally created a surveillance database in 1999 is back in power now since 2014 and they're back on the original agenda. And so this month they passed what's called the Citizenship Amendment Act, which provides a path to citizenship of India. If you are from Pakistan, Bangladesh or Afghanistan and you're not a Muslim. That's the condition the bill explicitly excludes Muslims from citizenship of India. Now, this is very clearly a violation of the Constitution of India. In fact, Article 14, it is the shirt I'm reading here. This is my proudest shirt, essentially says that the state shall not deny equality before the law or equal access to the law to anybody in the jurisdiction of India. It is not restricted to citizens. It is applicable to all persons. And the act that has just been passed is a violation of the constitution. Now we have a majority in government. They can do what the police because there is literally no opposition to stop them. Which leaves it up to the people. And as a result of this, there have been protests all over India for the last month. Sample of news reports. There have been millions of people on the streets of India walking around asking for protests. Most people have not figured out that this is actually based on other because I doubt it is a marketing term for the project that is meant to surveil and separate the people of India into cities, into non-citizens based on their religion. So this is very dense. This is from the protest yesterday morning. Thank you, Karen. We have some time for questions, so please line up behind the microphones. And we also have signal angels will pass on the questions from the Internet. And we're going to take one right now, whether any data leaks when the guy posted his number on Twitter. Well, there have been multiple data leaks. I'll point you to a fairly interesting one. The chairman of the USDA, Mr. Lond
on, let me talk a little about data leaks that he publishes. I get no online many, many years ago. And after subsequently being told that maybe this is not the best idea for you as a chairman of the entity to leak your phone number. He finally deleted it. But the Internet never forgets. And you can find this on stack overflow credit. So you just scored to stack worthless quotes where nothing really can even find out that. No consequences of leaks. Yes. In fact, the estimate of the total number of other numbers that have leaked in public is well past 200 million. Thank you. Microphone number two, please. Yeah. First of all, thanks for the talk. I think that civil registry and public databases or public service databases of all citizens are definitely a topic that we should discuss here more. The problem with this one is very, very obvious. But I'd like just to mention that many of the privileges that we as a community being grown up in a Western, let's say, stable democracy, we derive from having a birth certificate and being able to get an identity, even if it's just one in paper. And there is a question come in, right. Yeah. So. So I would I would like to ask one thing. Yes. Why don't they use the paper that is being send out as sort of an ID thing like like we have with our I.D. cards for the simple reason that they really believe in this vision and did not want people using gift cards. But also in terms of was this the first lady? Because, you know, India doesn't have competence of birth registration. The idea. And so this question under the Right to Information Act, which is like the equal to the U.S. Freedom of Information access. And in 2015, they explained how many times how many enrollments happen against other documents. Was this the person not having any documents at all? And the lawsuit is low. It wasn't ninety nine point five percent had at least two documents proving that I did. So this idea that it gave a to people who do not have one is completely fal
se. Asked by their own admission. Thank you. Microphone number one, do you generally oppose the idea of a central to identification number or just the implementation by inflating states like India? That's a slightly different question. So the state always makes a huge difference. You know, the quality of the institutions of a state make a huge difference. I was, in fact, having a discussion with someone here yesterday who pointed out that distrust in centralized I.T. seems to be a Commonwealth phenomenon. The UK doesn't have one. The US doesn't have one, but Germany seems to have one. And more civil law jurisdictions seem to be okay with the idea of centralized data as long as it's well regulated. So yes. So though mater of government makes a huge difference, and I would say I can't speak of the technology of whether it's been good or bad. Separate from whether the government's offer is good or bad. Thank you. Microphone number two. Hi, Kiran. Thanks a lot for the talk. If I'm not wrong, a few months ago, maybe a year ago, I read about this big democracy events going on in India. Now, there is a few countries that are considering using I.D. for elections to avoid fraud and all those sort of things. And I come from a country that has been trying really hard to implement the I.D. system days reliable on the help of combat fraud in elections. Do you think these I.D., this thing can be somehow reformed to make the whole democracy process easier in India? We have a case study of this facility, so I don't speak from theory. So in India, we had a state court under Polish which split into two separate states. So now they're called under petition Telangana. And part of what happens when you split a state is that you have separate elections for each state. And so you need to know who the waters off your state will not be in the new state. You know, previously you had one water database for your entire state. And I guess to also be able to databases and you need to know which 
person is in which state. So for the process of separating the database, they went ahead and collected other numbers and ended up deleting a significant fraction of the water database because they couldn't prove that they were residents or the state. Yes, some is a different story. So the opposition telling a story is particularly illustrative of how if you think you can bring in a technological solution, you probably are going to make it worse. In fact, you've got a deal going to make it worse. Thank you. Kiran, John, I got that. A round of applause.