46 comments

[ 3.2 ms ] story [ 116 ms ] thread
Very devastating and a blow to open-source and privacy if true. Regardless, it has been admitted and the confession is already there on Wikipedia. [0]

> He was actively involved in the Aadhaar project, which provided a 12-digit unique-identity number to Indian residents based on their biometric and demographic data.

Oh dear.

[0] https://en.wikipedia.org/wiki/Viral_B._Shah

The project is called Aadhaar, and on it's surface it doesn't seem to be that bad, its a government ID that contains biometric and demographic data and doesn't seem to contain much more than what is requested of people at the US boarder, or what is contained on most national ID cards in jurisdictions where those exist, and at least the Aadhaar is voluntary, that is the government cannot deny service if someone chooses not to possess an Aadhaar ID. Reading the Wikipedia article also gives hope that the project isn't as bad as it might be.

"On 24 March 2014, the Supreme Court restrained the central government and the UIDAI from sharing data with any third party or agency, whether government or private, without the consent of the Aadhaar-holder in writing." [0]

"On 26 September 2018, the Supreme Court ruled that Section 57 of the Aadhaar Act was unconstitutional, meaning that private entities cannot compel their customers to provide their Aadhaar number as a condition of service to verify their identity, specifically citing requiring it for bank accounts, school admissions, and mobile phone service as examples of unlawful use cases" [0]

I still wouldn't want to have this kind of a system pushed on me, but then I would prefer if the ID chip was removed from my passport...

[0]https://en.wikipedia.org/wiki/Aadhaar#Legality_of_sharing_da...

> at least the Aadhaar is voluntary

It is practically impossible to live in India without aadhar.

I've never had the pleasure of visiting India, so have no first hand experience. Could you expand on your point. If the government can't refuse service and third parties cannot ask for the number, how does the lack of an Aadhaar impact everyday life?

Just as an aside, I don't doubt what you're saying, I'm just genuinely interested in the mechanics.

> If the government can't refuse service and third parties cannot ask for the number

That is just in theory, you need to have aadhar to pay income tax(not paying tax is a criminal offense), almost all benefits are now getting linked to aadhar. Almost all employers now ask for aadhar details for job.

Hyperbole. I can't think of a single place where Aadhar was the only source of identity that can be used
Just curious, have you managed to submit IT return without aadhar ?
Will the Julia language survive this? Not as bad as the whole Reiser situation, but this diminishes my interest in the language.

Oppressors should not be given any support. And lest someone forget, “I was just following orders” is not a defense. He made a choice that will have negative impact on individual privacy for generations to come.

I don't see the Julia language will be affected much at all. Julia is not used in cryptography but scientific research.

If by Reiser you mean Hans Reiser I fail to see any parallel at all.

However I am curious do you know why your interest in the language is diminished?

Julia has some nice ideas but it is time for a do-over as a fully open language (ie without the commercial backer actively upselling in their mailing list), and with the "time to first plot" and package management problems addressed.
What package management issues do you have?
Leaky databases aside, the objection to a National ID system is very American/British thing.
We have IDs at the state level, which is where they belong.
Seems like an arbitrary distinction which is considered important for historical/cultural reasons particular to America. Why is the federal/state boundary the important boundary, and not the state/county level? Or not the county/town level? Or the global/national boundary? Even having 3 or 4 layers of government is an arbitrary cultural trait. It could be one or two, or five or six.
In theory, the US is a federation of sovereign states (i.e., the federal government is a creature of the states, states are not supposed to be merely political subdivisions of the central government). Domestic affairs are supposed to be largely the realm of the states, with the Feds responsible for foreign affairs.

Which is why the federal government uses federal funding for roads, health care, welfare, etc., to coerce states to do what it wants domestically, rather than just dictating to them directly.

(comment deleted)
(comment deleted)
This is a torch & pitchfork store. Think twice before you might do stupid things..
Whatever the shortcomings of the AADHAAR project, it is probably the most important (for public welfare) national infrastructure project in the recent past. It has been absolutely pivotal in onboarding a large fraction of India's population on to 4G mobile services and digital payments infrastructure. It also serves as the backbone of India's "Direct Benefits Transfer" approach to welfare, which helps circumvent the massive corruption endemic in the previous means of distribution. This is arguably the backbone of the IT revolution necessary to upgrade governance infrastructure to the twenty-first century, for a billion people.

- For a thorough explanation, see: https://tigerfeathers.substack.com/p/the-internet-country

- Nandan Nilekani & Viral Shah even wrote a book laying out the vision behind the system: https://www.goodreads.com/book/show/27420086-rebooting-india

----

There's still a lot of room to debate cases of mis-handling, privacy issues, implementation details, etc. but calling it a mass surveillance project is just plain wrong. It is basically India's analogue to "Social Security" in the US. It is very easy to criticize AADHAAR from the perch of the english-speaking elite (who never face almost any of the problems that AADHAAR solves), but one needs to empathize with the problems of the bottom ~third of the country (~400M people) living in abject poverty -- to even start having a meaningful discussion about the pros and cons of the approach.

Smearing a programming language by association is further just flagrantly in bad faith!

India's equivalent of SSN is PAN, the Permanent Account number, which predates Aadhaar by decades.

DBT is also older than Aadhaar and uses IFSC + account numbers. An Aadhaar layer was added to it, wherein a new mapper from Aadhaar number to IFSC was added, but the additional indirection only creates additional opportunity for error and fraud, as the Airtel Payments Bank fraud demonstrated on a mass scale.

Jio's onboarding of 4G customers was not exclusively based on Aadhaar eKYC. They accepted any valid id, as I personally tested, but somehow Aadhaar propagandists fail to quote the break-up of IDs used.

Please, do a cross-check that you're not citing from propaganda material.

This sucks. I love Julia, especially for developing analysis tools. I started using Python in place of MATLAB when it was permissible in my work environment, but now I try to use Julia when possible, and almost exclusively in non-professional analysis/data endeavors.

I personally take issue with what Aadhaar is at its core, but the referenced thread of the associations and what's being done with the data is downright horrifying.

Andhra Pradesh leaked #Aadhaar of every school student, their claim is to stop school dropouts. This data is shared with Microsoft which boosts itself for building an AI

Andhra Pradesh built a search portal to search anyone's information using #Aadhaar. This portal was again publicly accessible to anyone. That search portal which everyone says doesn't exists are all over the place

why is a single ID card for everything called "survillance".

Sure, I would have preferred if this wasn't so leaky. But can someone tell me how this is surveillance if they're not tracking transactions, conversations or my individual choices (which I assume they are not)

Scroll around among the MANY leaks and you'll stumble across this one:

Public searchable db of pregnant women with addresses, due date and CASTE!

In a society where people are targeted and killed for their caste this is terrifying.

Exposing this data publicly may be a huge problem (I don't know enough about the leaks), but in a society where people want the government to offer welfare benefits based on caste (to address historical inequities), the government necessarily needs to track this data to prevent fraud when doling out welfare (eg. to issue the relevant certificates on birth, which can then be used in various benefit schemes analogous to affirmative action). One can't have it both ways!
One can absolutely have is "both ways" if both is: private data and govt knows your caste. It's the public data that is the problem.
A unique ID can act as a common "foreign key" in multiple databases. All IDs earlier to this were purpose-specific (Driving License, PAN etc). But with UID, state governments as well as central governments are building 360 degree views of each citizen - without being subjected to any laws or regulations. Look up how SRDH were build using something called "non-organic seeding" and have continued despite Supreme court coming down on them heavily.
Good sir, if you are required to add an Aadhaar number to an account everywhere, how is it not tracking?

There are now serious proposals to require Aadhaar for social media accounts too.

Some privacy advocates will equate the two things, but personally I find that reductive and misinformative. A centralized identification system can be abused, in the same way a central bank can. Where privacy can impact such a thing is through regulation and separation of concerns. It doesn't look like when this programmer worked on the system that it was purposed for abuse, so I don't know why this Twitter user thought it appropriate to equate the two. Without knowing that, this discussion is basically moot and this Twitter post is typical Twitter mud-slinging.

The real concerning part, to me, is that one person thinks it's okay to make baseless accusations about abuse and named the developer, which can endanger their well-being and their career.

(comment deleted)
I don't think that "government mass surveillance project" is a particularly fair characterization of Aadhaar[0], particularly in the context of Viral B. Shah's involvement in it back in 2010.

A national ID program with a per-person unique identifier has clear societal benefits, and while it can certainly be abused to enable "government mass surveillance", it is not such a project itself.

Data can be cross-referenced for both good and ill: the existence of a unique identifier akin to an SSN is not an inherently terrible thing.

[0]: https://en.wikipedia.org/wiki/Aadhaar

It is designed to be a universal foreign key. The number is supposed to be confidential, but almost no one treats it as such, and the founding CEO of the organisation (since retired) has repeatedly argued in public that the number should be public, and the official policy of regarding it as confidential was a poor compromise made to satisfy privacy critics. Since the architecture is not designed around confidential numbers, there is no actual way to keep it confidential.

Tokenization was promised and implemented in a rush while petitions against Aadhaar were being heard in the Supreme Court in 2018, but the tokens (called "virtual id") are not usable anywhere.

Curious, what was the proposed architecture supposed to look like with a public ID ?
You have one and only one Aadhaar number.

You give it to every service provider that has internal reasons to prevent double sign-up (usually: state sponsored subsidy)

Or if you don’t comply, the service provider will share their entire database with UIDAI (Unique ID Authority of India) and discover your Aadhaar number and add it to your record themselves. This scheme was colourfully marketed as “inorganic seeding” and ran without legal backing for several years.

If an Aadhaar number shows up twice in the database, it is considered a duplicate and the extra entry is deleted from the service provider’s database.

If no Aadhaar number shows up for a customer, it is considered a ghost and that person is also removed from the database. Sample side effects:

1. Several individuals who depended on the state for food grains were now classified as ghosts and died of hunger. The government attempted to dismiss the news as too fantastical to be true.

2. In an experimental case, this was done on a voter database in one state, and two million individuals found they could not vote in the 2019 elections because their voter identification was deleted. The government saved a shitload of money by not bothering to notify these individuals, also in violation of a legal requirement for due process.

Somewhere in the middle of these delightful experiments, they acknowledged that it was a bad idea to allow random service providers to upload their entire customer database, so they stopped the service. This enlightenment conveniently came after every major provider had run through the program once.

Later still, they acknowledged that if a service provider can add an Aadhaar number against a customer’s record without the customer’s consent, then nothing prevented fraud from occurring within the service provider. The solution to this problem was to acknowledge that Aadhaar numbers are confidential, so that an individual is protected from fraud in their name — as long as they manage to keep their number confidential.

Of course, no solution was found for service providers adding random Aadhaar numbers to create new ghosts.

Oh, and incidentally, it is not possible to perform biometric authentication on a dead person, and so it is not possible to mark an Aadhaar holder as deceased. The dead cannot certify their own death, and as RS Sharma — that founding Director General (whose post was later designated as CEO) keeps telling everyone [1][2], Aadhaar numbers were designed to be public and usable only against biometric authentication.

So now by design, Aadhaar numbers are perpetual, valid as long as they are in use, and any service provider can claim to be providing service to any Aadhaar number, and dead people can’t complain about deficient service, which is most convenient for fraudsters. The dead live on as ghosts in the machine.

[1] https://indianexpress.com/article/opinion/columns/aadhaar-in... [2] https://www.thehindu.com/news/national/concept-of-aadhaar-da...

On further googling, it looks like their problem is that Viral B Shah contributed to the Aadhar project (universal ID) for India.

I don't get what's the problem here. Its a government project for a federal ID to streamline benefits and ID, like a driver's license or a passport. Its pretty widely used now and IMO very useful for a developing country like India.

This is akin to getting mad at someone for doing a stint at USDS.

government "mass surveillance project". An attempt to make headlines juicy?
Wow! Allegations without context or material. Who would have thought someone on twitter would sling mud!

If the Indian government is going to implement the Aadhaar card.. I rather would like folks such as Viral Shah on the team to make sure the implementation is headed in the right direction.. The scale and operational challenges faced are significant. The context for that twitter thread is a leak of private data that occurred. If competent engineers are not involved, it will only get worse.

This is analogous to the US Govt implementing a plan to provide universal healthcare but random developers getting angry when a competent engineer works to make sure it is done right..

The details and implications seem to be disputed, but in any case, What in the world does this have to do with Julia? What will be accomplished by involving an MIT open source language which is opening new horizons in climate science, physics, economics and other societally important fields?

The happiness and productivity of current and next gen programmers and data scientists are relying Julia's success. If you have ever used the mess that is the pydata stack and its myriad different incompatible type systems, DSLs and APIs, and then breathed the fresh air of Julia, this should resonate. (numpy+pytorch+TF+python lists+ numba+pymc3, jax etc etc )

I have zero affiliation with Viral or Julia Computing, I'm just a guy who wants to continue enjoying writing the next line of code without looking up pandas docs for millionth time.

> What in the world does this have to do with Julia?

Nothing, It is just the claim to fame of the linked person

> The happiness and productivity of current and next gen programmers and data scientists are relying Julia's success.

I'm a big Julia fan, but "relying [on]" seems like an overstatement - "would be enhanced by" is as far as I'd be willing to go. Let's be honest, Julia is great, but in the unlikely unfortunate event that it crashed and burned, a lot of would be saddened, but we'll move on and improve the ecosystem in other ways. (And trust me, as an ex-Perl guy, I know a lot about moving on from languages.)

Not that any of these Twitter drama should affect Julia in any case, and it isn't likely to.

It seems to be just a government ID system. No proofs of mass surveillance are given. The emphasis on the language is even more disgusting. Flagged.
AAdhaar is an unique identity systems, India is among those few countries that lacks a citizens registry.

It makes it easy to receive government services and KYC, removes the need to fill in redundant information in every form. India is also a welfare state whether people like to call it one or not, every thing from toilets, electricity, housing and transport is either paid for or subsidised by the government.

A lot of Indians are unaware that such id systems have existed in the developed world for close to a 100 years. Even the country which had been hosting Osama bin laden has a citizens registry, India still does not have one.

Before you get outraged please do some research on the topic, or perhaps the world would be safer if you don't use Julia.

This is a reality of being a software developer anywhere. If you need a job or money, and someone is offering, you will probably take the job.

Viral is a nice person, I've met them once before. I sincerely doubt their involvement in any project like this was malicious or greed driven at the expense of others well being. Anyone who has worked for a govt or a large advertising company is doing things like this, or worse. If anything Viral is just another person who took a job they may or may not have understood or agreed with. Not agreeing with or normalizing the realities of this project, I don't know anything about them.

I will say this. It is deeply unfair given what we do know about the project to shame or blame any single person for this sort of thing.