India Withdraws Warning on Biometric ID Sharing Following Online Uproar

India has withdrawn a warning that asked users to not share photocopies of their national biometric ID following a widespread uproar from users on social media, many of whom pointed that this is the first time they were hearing about such a possibility. From a report: A regional office of UIDAI, the body that oversees the national biometric ID system Aadhaar, warned users on Friday that "unlicensed private entities" such as hotels and theatre halls are "not permitted to collect or keep copies of Aadhaar," a 12-digit unique number that ties an individual's fingerprints and retina scan, and people should avoid sharing photocopies of their Aadhaar to prevent misuse.

Re:

[K. S. Kyosuke]

If you thought that sharing your SSN was bad, imagine the danger of sharing your SSBN.

Re: Sounds sort of like a SSN

[modecx]

Ugh. Don't you just hate it when you get someone else's seamen all up in your SSBN? It's just the worst. Don't get me started!

Re:

[Joce640k]

Also: Don't make the mistake of using anything made by Apple for posting online.

Re: Sounds sort of like a SSN

[Malc]

What mistake is that? Believing a tech website wonâ(TM)t have the most basic tech bugs?

Re:

[Joce640k]

No. The mistake is believing a tech web site should pander to artistic types who think the quote mark needs redesigning to look more beautiful. If it beaks messaging and web sites? That's courage!

(You know you can turn that shit off in your preferences, right?)

Re: Sounds sort of like a SSN

[Malc]

Nah, itâ(TM)s far more entertaining seeing people getting their knickers in a twist over something so unimportant. Seriously, why should I worry about my phone settings because a single poorly maintained under-budgeted buggy website doesnâ(TM)t work properly? Besides, IOS devices are officially supported (https://slashdot.org/faq/mobile.shtml), so perhaps you should send feedback in the right direction (https://slashdot.org/faq/misc.shtml) instead of whinging here in the comments.

Re:

[Joce640k]

why should I worry about my phone settings

Because it's like walking around with a piece of toilet paper stuck to your shoe.

Re:

[jmccue]

And the double dash, I wish I had mod points for you

Re: Sounds sort of like a SSN

[LindleyF]

I did not know that. It's never been an issue on any other site. Disabled for now.

Re: Sounds sort of like a SSN

[LindleyF]

Is that what those symbols are about? I was wondering.

Re:

[Joce640k]

Yep, it's Apple's courageous new quotes.

Sharing SSN is bad only because we decided so

[raymorris]

There's no reason that sharing your SSN should be bad. It's bad only because we decided it's bad. Only because we decided it should be secret - even though you give it out to everyone.

The SSN is an identifier - like your name or email address. Is sharing your email address bad? It is, or should be, the same thing.

The problem is acting like it's a secret password, pretending it's proof of identity. Allowing someone to get a credit card in your name just because they know your SSN is the problem. That's the same as if they issued me a credit card in your name just because I know your email address.

Perhaps the best thing that could happen with social security numbers and security would be if the social security administration openly published everyone's SSN on their web site. Then everyone would KNOW it's not a secret - you can't use it as a password, for authentication. That's already true because it's already available on the web, for most Americans. Odds are your SSN is in one or more leaks anyway, so it's actually not a secret. People need to understand that, and stop using it for authentication.

Re:

[GigaplexNZ]

Is sharing your email address bad?

Yes. I hate spam.

Re:

[Ichijo]

You can generate a temporary E-mail address with mailinator or a plus-address. You can generate temporary credit card numbers. You can generate temporary passcodes (2FA). There ought to be a way to generate a temporary ID so you don't have to give out the real one.

Re:

[DrXym]

It's bad because a SSN is a unique identifier and soon as it makes its way into data mining systems it's very easy for them to aggregate information because they know for certain that the John Smith over here with an SSN matches the Jonny Smith over there with an identical SSN. Even if there are variations of name, address, other missing particulars, they have you. Then they can credit score you and do all the other bullshit that America is known for with data analytics - figure out your affluence, risk pro

Re:

[raymorris]

> Your SSN is all over the place so it is easier to skim. Knowing someone's SSN opens a lot of doors for applying for credit cards and other crap in your name

THAT is the problem. Can I apply for a credit card in your name by knowing your email address? Of course not!
Why the HELL would they issue me a credit card in your name just because I got your social security number? That's fucking stupid. Because as you said "Your SSN is all over the place". It's an identifier; it's not a fucking secret. It's not

Re:

[DrXym]

The problem is that there are no laws to stop them from doing it so of course they will. if they don't then they are at a competitive disadvantage to their rivals who do. Privacy has to be enshrined in law, forcing compliance, levelling the playing field, limiting what government (SSNs, TINs etc) can and cannot be used for, and how other personal information may be shared. That's what other countries do. Some US states have better privacy laws than others (e.g. California) but it still sucks for where it sh

Re:

[raymorris]

I'm curious if you're reading before replying.

No law is going to keep something secret if you give it out to everyone. That's actually the definition of a secret - it's something you don't tell anyone.

It's IMPOSSIBLE to go get it to each of your employers, and your bank, and a dozen government agencies, and the car dealer, and the apartment complex, and and and, and it's a secret. BY DEFINITION it's not a secret, you've told it to a bunch of people!

No law can change the fact that when you give it out to ev

Did the warning expose a flaw?

[Catvid-22]

My initial reading of the story was that the warning, issued by a regional office of the Indian national ID agency, was wrong. Now it appears that the warning was correct but was withdrawn because it exposed a security weakness in the ID, probably because it relies on a unique number printed on the card itself (perhaps somewhat like a credit card).

Re:

[Cochonou]

Yes, it's quite difficult to get from the summary or TFA what exactly is the issue. The official message is now that there is no weakness, but I do not know how much truth is in that.
"“UIDAI issued Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers. Aadhaar Identity Authentication ecosystem has provided adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder.”

Photocopies?

[h33t l4x0r]

What is it still 1995 in India?

Re:Photocopies?

[zenlessyank]

Depends where you are in India. Some places it is still 1895.

Re:

[ZiggyZiggyZig]

Wish I had mod points.

Hard fail

[ahoffer0]

Isn't the whole point of tying your biometrics to an ID that the ID doesn't need to be secret? The ID is public and the biometrics are essentially the private key.

Re: Hard fail

[madbrain]

They are really not like a private key, which are a single number. Biometrics are typically some sort of representation of fingerprints. They are captured as an image, which doesn't have a single canonical representation. They are useless for authentication unless you have some reference to compare them to.

My guess is that the number in TFA is a record in the government database to find a biometric record to compare to. If you have a common enough name, as I do, there will be multiple people with the same f

Re:

[NicBenjamin]

Given the number of Patels and Singhs in India, I strongly suspect they have a lot of people with the same name born every day.

Re:

[GoTeam]

Given the number of Patels and Singhs in India, I strongly suspect they have a lot of people with the same name born every day.

Their 3,000+ births per hour in India seems likely to be a contributing factor to duplicate names as well.

Re:

[madbrain]

You are right, of course. Still, there are other things you can index on. Not just last name and DOB.

Regardless of what you use, to check biometrics, you need to have something to index on to find what to compare them against.
A unique number will do that. But that number can be copied. If you only check the biometrics against the record, and absolutely nothing else, the identity check will be a fail, though.

Bleh

[Richard_at_work]

In this day and age, it should be easy for the government to provide a service which issues unique one time verification codes for those entities needing access to this information to confirm anything, so you are never sharing a single identifier with anyone.

Instead, we continue to get half arsed approaches that risk your privacy.

Virtual ID for Aadhaar

[bingoUV]

Yes should be easy for other countries, because such a service is already provided in India for over a decade : https://uidai.gov.in/284-faqs/... [uidai.gov.in]

Though a huge majority of people don't know about it, or don't bother to use it, or the agencies collecting the data refuse to accept VID because it is 16 digits instead of the regular 12 digits.

Re:

[gweihir]

Instead, we continue to get half arsed approaches that risk your privacy.

That seems to still be the regular operating mode of most of the software industry and security is no exception.

Why let anyone scan it?

[clonehappy]

This is exactly why I don't let stores "scan" the barcode on the back of my ID to buy beer, or whatever else they deem necessary. I get very vocal about telling them no, and asking for a copy of their data retention and privacy policies. All I ever get is a blank stare and "we have to scan it to sell you the item, sir."

I have even called the customer service hotline of a few large chains and asked them for the privacy policy or at bare minimum what they do with my DOB, Name, Address, DLN, and license information, and they flat out lie and tell me that the data isn't stored or logged.

Which is obvious bullshit, because:

A. Why scan it at all if you aren't doing anything with it? Just let the clerk read the birthday and let me be on my way.
B. No one collects data who isn't doing *something* with it. It's 2022, and I won't believe for one second that even Jim Bob's Beer & Gas isn't somehow attempting to monetize my personal data if they are going through the trouble of installing the infrastructure to scan IDs then enforcing a policy to do so.

I liked the old system, where there was no barcode on the back of your license, and there was either a color code or orientation shift of the card to denote if you were of the age of majority. I find it hard to believe that so many people think that kids buying beer or cigarettes (or weed in some places I suppose) is such a huge deal that we need national digital ID cards and such. Imagine if we had biometrics encoded in our IDs here. Every gas station in the country would have a copy of your most important identifying information.

And before anyone gives me any bullshit about terrorism, someone with nothing to live for doesn't give a shit about carrying an ID. It's all smoke and mirrors to monetize and track everyone, every moment of their life, and I refuse to participate.

Re:

[splutty]

There are countries (I live in one) where it's illegal to ask for a copy of someone's ID (which scanning basically is) if you're not on a very short shortlist of businesses that is allowed to ask for that.

Everyone else can 'verify' from the ID (that's what the damn thing is for), but can not copy it. So if anyone asks to copy your ID, your answer should almost always be "No."

Make a useful thing, watch it get used

[Anonymous Coward]

The country I'm living in has similar laws. The thing is, that list gets ever longer. And since enforcement is lax, plenty more places just scan, because that's nice and easy and the rent-a-cop at the gate doesn't need to think or write or type anything. Just put the card on the scanner and hit a button.

In the next country over they made sure that everyone can read your identity card with a suitable reader. No need to scan, just shove in that card and instant perfect electronic copy.

The bottom line with t

Re:

[NotEmmanuelGoldstein]

... bullshit about terrorism ...

That's conflating two separate issues: Proving you exist (Id.) and proving you're allowed to do X (eg. buy beer). The problem is, the government never says what people can't do with national Id. (Originally, passports had the same problem, then it became law: Passports were for border entry/exit only.), so everyone and his dog 'needs' it. Then, copies become easy to steal and use for crime.

... illegal to ask for a copy of someone's ID ...

Here, several government Identifiers are regarded as private: SSN, unemployment, medical, student, taxation. The e

Re: Why let anyone scan it?

[RegistrationIsDumb83]

I also hate this. The cashier drones rarely warn you that they're going to scan it.

Re:

[misnohmer]

Sometimes bars scan the license for efficiency and /or to avoid human error - people doing math how old the customer is is slower than a scan and a greed/red result and more error prone. Barcode is somewhat harder to fake/modify than single digit on the front of the license (making an 8 into a 3 for example) - especially by unsophisticated adolescents who just want to buy alcohol. Last but not least, when properly implemented, it is actually better for your privacy - scanning the license provides the barten

Re:

[radarskiy]

"Why scan it at all if you aren't doing anything with it? "

-1, telling a question

There are things you can do with an identifier other than store or log it. Most relevant to the situation you describe: you can authenticate it.

Re:

[muh_freeze_peach]

If you weren't wearing tin foil on your head, maybe they would be less likely to ask for ID?

Primer on Aadhar

[ghoul]

Aadhar cards include your name, DOB, Father's name, picture , address and your photo. The biometric data is not on the card. Official users like courts, DMV and cellphone providers have a software interface to UIDAI. These folks take your picture and send the picture over the interface for a retina match or scan your fingerprints and send it. The matching is done at UIDAI and a match/no match is sent back. Unofficial users like hotels dont have access to this interface. They can basically look at you and say the picture matches the name.

Their is misuse and overuse which is happening as lot of coders are lazy and just try to reuse code meant for SSN (which is different from Aadhar as SSN has no biometrics) in every online app.

India has passports, Voter ID cards, Driving licenses, Ration Cards, PAN cards (used by the tax dept). Aadha is not the only ID. There is a push to use it for everything but there is push back. Officially for most things you can provide one of these other IDs.

No just the number

[arnott]

People are providing copies of their Aadhar card to book hotel rooms, buy cell phones, etc.. Not just the number.