Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

India Withdraws Warning on Biometric ID Sharing Following Online Uproar (techcrunch.com) 47

India has withdrawn a warning that asked users to not share photocopies of their national biometric ID following a widespread uproar from users on social media, many of whom pointed that this is the first time they were hearing about such a possibility. From a report: A regional office of UIDAI, the body that oversees the national biometric ID system Aadhaar, warned users on Friday that "unlicensed private entities" such as hotels and theatre halls are "not permitted to collect or keep copies of Aadhaar," a 12-digit unique number that ties an individual's fingerprints and retina scan, and people should avoid sharing photocopies of their Aadhaar to prevent misuse.
This discussion has been archived. No new comments can be posted.

India Withdraws Warning on Biometric ID Sharing Following Online Uproar

Comments Filter:
  • My initial reading of the story was that the warning, issued by a regional office of the Indian national ID agency, was wrong. Now it appears that the warning was correct but was withdrawn because it exposed a security weakness in the ID, probably because it relies on a unique number printed on the card itself (perhaps somewhat like a credit card).
    • Yes, it's quite difficult to get from the summary or TFA what exactly is the issue. The official message is now that there is no weakness, but I do not know how much truth is in that.
      "“UIDAI issued Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers. Aadhaar Identity Authentication ecosystem has provided adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder.”
  • What is it still 1995 in India?
  • by ahoffer0 ( 1372847 ) on Monday May 30, 2022 @09:28PM (#62578530)

    Isn't the whole point of tying your biometrics to an ID that the ID doesn't need to be secret? The ID is public and the biometrics are essentially the private key.

    • They are really not like a private key, which are a single number. Biometrics are typically some sort of representation of fingerprints. They are captured as an image, which doesn't have a single canonical representation. They are useless for authentication unless you have some reference to compare them to.

      My guess is that the number in TFA is a record in the government database to find a biometric record to compare to. If you have a common enough name, as I do, there will be multiple people with the same f

      • Given the number of Patels and Singhs in India, I strongly suspect they have a lot of people with the same name born every day.

        • by GoTeam ( 5042081 )

          Given the number of Patels and Singhs in India, I strongly suspect they have a lot of people with the same name born every day.

          Their 3,000+ births per hour in India seems likely to be a contributing factor to duplicate names as well.

        • by madbrain ( 11432 )

          You are right, of course. Still, there are other things you can index on. Not just last name and DOB.

          Regardless of what you use, to check biometrics, you need to have something to index on to find what to compare them against.
          A unique number will do that. But that number can be copied. If you only check the biometrics against the record, and absolutely nothing else, the identity check will be a fail, though.

  • In this day and age, it should be easy for the government to provide a service which issues unique one time verification codes for those entities needing access to this information to confirm anything, so you are never sharing a single identifier with anyone.

    Instead, we continue to get half arsed approaches that risk your privacy.

    • Yes should be easy for other countries, because such a service is already provided in India for over a decade : https://uidai.gov.in/284-faqs/... [uidai.gov.in]

      Though a huge majority of people don't know about it, or don't bother to use it, or the agencies collecting the data refuse to accept VID because it is 16 digits instead of the regular 12 digits.

    • by gweihir ( 88907 )

      Instead, we continue to get half arsed approaches that risk your privacy.

      That seems to still be the regular operating mode of most of the software industry and security is no exception.

  • by clonehappy ( 655530 ) on Tuesday May 31, 2022 @12:28AM (#62578714)

    This is exactly why I don't let stores "scan" the barcode on the back of my ID to buy beer, or whatever else they deem necessary. I get very vocal about telling them no, and asking for a copy of their data retention and privacy policies. All I ever get is a blank stare and "we have to scan it to sell you the item, sir."

    I have even called the customer service hotline of a few large chains and asked them for the privacy policy or at bare minimum what they do with my DOB, Name, Address, DLN, and license information, and they flat out lie and tell me that the data isn't stored or logged.

    Which is obvious bullshit, because:

    A. Why scan it at all if you aren't doing anything with it? Just let the clerk read the birthday and let me be on my way.
    B. No one collects data who isn't doing *something* with it. It's 2022, and I won't believe for one second that even Jim Bob's Beer & Gas isn't somehow attempting to monetize my personal data if they are going through the trouble of installing the infrastructure to scan IDs then enforcing a policy to do so.

    I liked the old system, where there was no barcode on the back of your license, and there was either a color code or orientation shift of the card to denote if you were of the age of majority. I find it hard to believe that so many people think that kids buying beer or cigarettes (or weed in some places I suppose) is such a huge deal that we need national digital ID cards and such. Imagine if we had biometrics encoded in our IDs here. Every gas station in the country would have a copy of your most important identifying information.

    And before anyone gives me any bullshit about terrorism, someone with nothing to live for doesn't give a shit about carrying an ID. It's all smoke and mirrors to monetize and track everyone, every moment of their life, and I refuse to participate.

    • by splutty ( 43475 )

      There are countries (I live in one) where it's illegal to ask for a copy of someone's ID (which scanning basically is) if you're not on a very short shortlist of businesses that is allowed to ask for that.

      Everyone else can 'verify' from the ID (that's what the damn thing is for), but can not copy it. So if anyone asks to copy your ID, your answer should almost always be "No."

      • by Anonymous Coward

        The country I'm living in has similar laws. The thing is, that list gets ever longer. And since enforcement is lax, plenty more places just scan, because that's nice and easy and the rent-a-cop at the gate doesn't need to think or write or type anything. Just put the card on the scanner and hit a button.

        In the next country over they made sure that everyone can read your identity card with a suitable reader. No need to scan, just shove in that card and instant perfect electronic copy.

        The bottom line with t

      • ... bullshit about terrorism ...

        That's conflating two separate issues: Proving you exist (Id.) and proving you're allowed to do X (eg. buy beer). The problem is, the government never says what people can't do with national Id. (Originally, passports had the same problem, then it became law: Passports were for border entry/exit only.), so everyone and his dog 'needs' it. Then, copies become easy to steal and use for crime.

        ... illegal to ask for a copy of someone's ID ...

        Here, several government Identifiers are regarded as private: SSN, unemployment, medical, student, taxation. The e

    • I also hate this. The cashier drones rarely warn you that they're going to scan it.
    • Sometimes bars scan the license for efficiency and /or to avoid human error - people doing math how old the customer is is slower than a scan and a greed/red result and more error prone. Barcode is somewhat harder to fake/modify than single digit on the front of the license (making an 8 into a 3 for example) - especially by unsophisticated adolescents who just want to buy alcohol. Last but not least, when properly implemented, it is actually better for your privacy - scanning the license provides the barten
    • "Why scan it at all if you aren't doing anything with it? "

      -1, telling a question

      There are things you can do with an identifier other than store or log it. Most relevant to the situation you describe: you can authenticate it.

    • If you weren't wearing tin foil on your head, maybe they would be less likely to ask for ID?
  • Primer on Aadhar (Score:4, Interesting)

    by ghoul ( 157158 ) on Tuesday May 31, 2022 @01:10AM (#62578748)
    Aadhar cards include your name, DOB, Father's name, picture , address and your photo. The biometric data is not on the card. Official users like courts, DMV and cellphone providers have a software interface to UIDAI. These folks take your picture and send the picture over the interface for a retina match or scan your fingerprints and send it. The matching is done at UIDAI and a match/no match is sent back. Unofficial users like hotels dont have access to this interface. They can basically look at you and say the picture matches the name.

    Their is misuse and overuse which is happening as lot of coders are lazy and just try to reuse code meant for SSN (which is different from Aadhar as SSN has no biometrics) in every online app.

    India has passports, Voter ID cards, Driving licenses, Ration Cards, PAN cards (used by the tax dept). Aadha is not the only ID. There is a push to use it for everything but there is push back. Officially for most things you can provide one of these other IDs.
  • People are providing copies of their Aadhar card to book hotel rooms, buy cell phones, etc.. Not just the number.

Genius is ten percent inspiration and fifty percent capital gains.

Working...