English speaking urban Indians are loud on English media but ultimately don't matter for political decisions because they can't actually flip an LA or LS election. You need to either be a significant voting bloc or a major economic bloc to become a veto player in any country.
[0] - https://www.reuters.com/sustainability/boards-policy-regulat...
[1] - https://www.reuters.com/sustainability/boards-policy-regulat...
Most likely, Indian government will try again
https still uses unencrypted client hello's (ECH) across the vast majority of the internet, showing which domain the client is visiting in plaintext for multi-site servers to do SNI. DNS is still plaintext on most consumer routers/models provided by ISPs, stingray technology exists in the wild and is widely used to mimic cell towers. E2EE is not popular in consumer applications, even Telegram isn't E2EE and the main ones that claim they are like X's new Chat they have the keys on; Matrix having E2EE still shows meta data in plain text, room names in plain text.
While iMessages, RCS, Signal are mostly mainstream, most people are unaware of the need for E2EE. RCS is its own set of issues.
Pegasus, Cellbright, I can go on and on with the spyware companies that can just send a text message and infect devices with 0click exploits.
We can have E2EE but if they can just see the screen or hook in to the messaging app's memory doesn't mean much.
Pick up your cell phone, is it connected to Wifi? Can it see other Wifis? Apps track those nearby SSIDs and report to major databases to have accurate geo-location data down to the spot we stand.
Don't get me started on Ad-Tech.
The EU wants to install backdoors on everybody's devices and get rid of encryption entirely.
Zero Trust Technologies are a fun thing to read in to, especially the need for them.
That is not a US government program.
You also brought up ECH, DoH, DoT, Android's fake cell tower detection, and Android's NEARBY_WIFI_DEVICES permission that also demonstrate a strong industry-wide push to limit mass surveillance, contributing to my argument that GGP's assertion that nothing has changed is incorrect.
> The EU wants to install backdoors on everybody's devices and get rid of encryption entirely.
No, it doesn't. Just because someone proposes something doesn't mean the EU wants it, especially when the EU completely removes that proposal from the table.
You're right, it isn't. It's a foreign one (allagedly) and they used the tools telecoms and agencies use to monitor data, sms, call logs with IMEI/IMS mapping. Those, do belong to government agencies.
> You also brought up ECH, DoH, DoT, Android's fake cell tower detection, and Android's NEARBY_WIFI_DEVICES permission that also demonstrate a strong industry-wide push to limit mass surveillance, contributing to my argument that GGP's assertion that nothing has changed is incorrect.
This sounds more like you want to be correct; data brokers and mass surveillance are at an all time high, with platform providers requiring biometrics, ID uploads, data being sold, re-sold, re-sprinkled.
Android devices that can not utilize the latest Android OS (16+) to my knowledge can not access these features, by default DoH, DoT are not enabled by default. Whether the device itself can show if a fake cell tower is being used is only one step. The telecom and infrastructure companies that provide 5g have more tech layered on top of it that is indeed vulnerable, salt typhoon sat dormant in major telecom and internet backbone devices for over a year before being discovered.
We don't know whos cyber campaigns or who's involved in surveillance. I'll often get customers sharing the same stories where they call their ISPs and the ISP operator will list all the websites the customer viewed in casual conversation over the phone; which is scary.
> No, it doesn't. Just because someone proposes something doesn't mean the EU wants it, especially when the EU completely removes that proposal from the table.
Yes, it does. Many countries are in favor of it in the EU and even if it fails, they keep proposing it until it'll pass.
The U.N. just signed a multi-nation treaty with 72 countries, including Russia, China, and Iran to swap data with other intelligence and law enforcement agencies with the data its collected as its joint mission to, on paper look like a good thing but broaden surveillance and share that data among countries. https://vp.net/l/en-US/blog/72-Nations-Create-Global-Surveil...
The U.S. isn't involved with that, but here in the U.S. states are just now proposing VPN bans and requiring logging for major AI providers.
Most things are walled gardens.
The claims that it's getting better need all of us to put in a lot more work. Security, privacy, data integrity all go hand in hand.
Those SSIDs have among them, tracking that tracks MAC addresses, which can also be scanned out of the air using basic tools like aircrack-ng
A simple 'Share Your Location with this website' popup on a browser is more than enough to geo-locate you and provides enough information to geo-locate others on the same network.
It getting better is just not true. I wish that were the case, but it's going to take a lot of work for all of us.
Telecoms use that data for billing. The government, notably, is not allowed to request this data en-masse post-Snowden.
> data brokers and mass surveillance are at an all time high, with platform providers requiring biometrics, ID uploads, data being sold, re-sold, re-sprinkled.
On the contrary, after GDPR, sharing of this data has become severely restricted, limiting this information to first parties.
> Android devices that can not utilize the latest Android OS (16+) to my knowledge can not access these features, by default DoH, DoT are not enabled by default
This permission was added in Android 13, also post-Snowden, representing a change limiting mass surveillance. DoH rolled out as the default to all Firefox and Chrome users in the U.S. in 2020.
> Yes, it does. Many countries are in favor of it in the EU and even if it fails, they keep proposing it until it'll pass.
Speculation. Mass surveillance is more difficult now than it was pre-Snowden, as I asserted. Maybe in 100 years, it will be different, but I made no claims about mass surveillance in the 22nd century.
> Those SSIDs have among them, tracking that tracks MAC addresses, which can also be scanned out of the air using basic tools like aircrack-ng
Android has defaulted MAC address randomization since version 10 and iOS since 14. This is yet another feature that made mass surveillance harder since Snowden.
We shouldn't call it "cyber safety" as that is a loaded phrase here. Obviously other considerations were part of it.
Like with the chat control in the EU now, the foot is already blocking the door
And I'm sure in the end it will cave in. The "they" have a clear plan supported by infinitely more patience and resources than the "us" can muster, and the von der Leyen presidency has shown clear signs of direction towards more control, less privacy (by weakening the GDPR), and less of the good kind of regulation in industry.
As an EU citizen, I'm very unhappy with the Union's recent direction.
But, at least for now, hooray for the temporary victory on the Indian front!
1. Most Indian bureaucracy is clueless about tech things, and just goes by whatever somebody who sounds like techy enough is selling them. Which in this case I'm guessing is a data mining company/lobby.
2. The information derived can be used for various purposes. Plotting election trends, economics, spotting general trends pro/against politics and other nefarious causes. etc.
3. Spying.
4. Using information to go after political opponents.
5. Demographic targeting, which in Indian context almost always means a pogrom against groups, which other groups don't like.
6. Selling data to commercial entities for better targeting, or even social engineering buying choices etc.
There could be many others. But its kind of nice that it was taken back. Having said this, it will be pushed again at some point when people are busy with a crisis and this will be sold as a fix.
That is how they ramped up enrollment in Aadhaar UID.
I held out for many years due to privacy reasons. In the end, I changed my mind - its just immensely useful to the general public.
Aadhar made it easier than before. It is really a quality of life improvement.
The main issue is government requiring IDs even when it is not usually needed in other countries. Mostly in the name of security. This is the root cause. Aadhar is just the symptom.
However Aadhar does enable deeper breaches into privacy due to its unified nature and the way it is validated through government owned infrastructure. There is full tracking possible on all the services that the residents used.
If Aadhar was a self sovereign ID, then having a single ID is definitely a good thing. It keeps privacy intact while usable where needed.
Post Aadhaar, even though all of those IDs are still legal and acceptable under law, the govt has added so much friction on the non Aadhaar path that in practice those IDs are unusable.
In reality different IDs were accepted at different departments and there was no consensus. It was really a pain. If someone took ration card as valid, others wanted another ID. In some states it was even worse.
It is true that the government has indirectly made Aadhar mandatory, contrary to the spirit of supreme court order.
If Aadhaar makes it easier for people living near poverty to get say bank accounts, it'd trump the reservations I have. That's what made UPI possible - just about everyone today has UPI, even people begging for money sometimes have a QR code handy (at least here in Bangalore).
I agree that there are undeniable benefits from Aadhar. However, the issue is that the narrative from the govt has been that it's an either or situation. Either you have the convenience of Aadhaar, or you have privacy. This is unequivocally false. The solution isn't even technical. There are two simple, easily doable fixes which will deliver most of the benefits without significantly eroding privacy.
1. Ensure that legally valid ids other than Aadhaar are not treated as second class by any govt department. If a non Aadhaar id is refused, the reason must be given in writing. The problem is govt babus like the ease of Aadhaar and hence refuse to do the tiny bit of extra work needed on the non Aadhaar path.
2. Amend the Aadhaar act to ban the use of Aadhaar for anything except identity verification. If any personal data linked to Aadhaar is saved by a platform, then they are liable for leak of the data in the event of a breach.
Just doing these will enable the use of Aadhaar for it's original intent which was verifiable identity. The privacy degradation comes from using Aadhaar as a primary key for arbitrary storage of personal data, not from the existence of Aadhaar itself.
My point was that India should switch to a single card/id for everything, and get rid of everything else including the PAN card. Eventually make Aadhaar digital, and chip based so that it can hold your DL as well. It is it bad for privacy, Yes. But what a country should spend on protecting or preserving privacy is a function of where it is on the socioeconomic ladder. If a single ID helps 80% of Indians (a billion people) navigate the labyrinth of our bureaucracy, I'm ok with it, _today_.
Besides, simpler rules go a long way in reducing the power of govt departments (which we can agree on). It reduces cognitive overload for citizens, as well as for govt workers. Factor in where the rest of India stands in terms of education etc, the value of simple rules cannot be overstated.
As someone who values privacy, there are still ways to do it. You just have to invest a lot more energy and time into it though.
> whose attributes can't be changed
Many IDs (outside India) have similar issues, options to change attributes, and various redressal mechanisms.
It does not in practice, because Aadhaar data is a unverified source of big messes. As several examples:
- UP Gov does not believe Aadhaar to be a proof of date of birth https://www.newsonair.gov.in/up-government-clarifies-that-aa...
- UIDAI has stated that it is not a proof of citizenship, DoB, or address: https://timesofindia.indiatimes.com/city/lucknow/aadhaar-not...
- EPFO no longer accepts it https://www.thehindu.com/news/national/government-makes-citi...
Post Aadhaar, even though all of those IDs are still legal and acceptable under law, the govt has added so much friction on the non Aadhaar path that in practice those IDs are unusable.
Aadhar is "identity", it is not a "card" of any kind though Indians have inherent love for collecting various cards for fun. I have my driving license, PAN, aapar, kisan and state government health insurance cards, labor department id card. I have few more in some drawer.
Once a person gets aadhar, it acts pretty much same as OAuth. You go to a hotel to get a room, Hotel by law is required to verify that your name and face match. You give your aadhar card to them which they scan on their computer and verify that your name matches your face. Because they are a hotel they have right to only verify that.
This is much more privacy preserving than what supreme court did. Because of Supreme Court, hotels no long bother to implement this and instead demand your passport and other identification, scan it and leave it in their system forever. They also are known to sell this data to other from time to time.
The technical idea behind was aadhar was similar to UPI. Government runs the core infra with basic APIs but private companies build apps on top of it. For example, say GPay builds aadhar interface where when you walk into a hotel to reserve a room, Gpay automatically generates a new aadhar number with permissions only to show your name, photo and age. Hotel system verifies that and stores a receipt. If in future government is investigating who stayed in which room, law enforcement can convert these receipts to identification.
This was a better model which would have unlocked a lot of potential. The government failed to argue the case correctly and supreme court acted more like an activist court.
I do think both Government and Supreme Court failed to show the correct user journey here.
In comparison, a Voter ID and PAN are both hologram protected and forgeries are easily detected.
W3C verifiable credentials do not require a singular identity source, they work perfectly fine with multiple issuers.
However for getting a new mobile connection the flow is similar to what op has mentioned. It seems one can get a mobile connection by not opting for face recognition, but the process is cumbersome. Similarly for property registrations fingerprints (atleast in some of the states) of the concerned parties is matched against the ones that are associated with their Aadhar.
I have two SIMs, and I surprisingly got the newer of them in 20 minutes at a remote village in India without an Aadhaar. Telcos do a Liveness check with their phone instead these days.
Isn't this the problem vs the Supreme court judgement? Why does the hotel need to save this data forever?
A simple fix will be to make companies liable for leaks of personal data. That alone will incentivize then to delete personal data as fast as humanly possible.
Now, the morons in charge are making it mandatory to book a gas cylinder as well. It’s like once a blind suddenly starts seeing, he wants to capture everything.
A friend then showed me that he downloaded aadhar PSD online, put a random invalid number, his photo and a non-existent address on the bank and used it everywhere where people were asking for aadhar without any need. Building and Airport security, Hotel reservation staff, Bus tickets and so on and used real aadhar only for banking and sim cards. He said this simplifies life a lot.
The truth, as you point out, is that Aadhaar in reality is a an “honour based system”, where UIDAI pretends everything is valid and authenticated as long as it gets used everywhere.
As for the low IQ thing no one wants to acknowledge it but check the charts and see that it’s true. Centuries of caste based inbreeding and colonial clerk education will do that to a population. The added toxins in the turmeric will finish the job.
In the later incarnations, if this is an app which you need to access government services that is less of an issue, though I'm not advocating that this is completely fine. There are already apps like these CoWin (during Covid time), or Digiyatra (despite some of the privacy concerns around it [1]) which many are using. I hope if at all this app gets introduced (in the form you mention) there are larger discussions about permissions and the data access the app would need,and it can be disabled, uninstalled.
I don't view these apps as net negative for a country like India which is helped immensely by digitization.
My comment was just pointing out that governments have a way to get you install the app if they really need to.
The question is what makes service critical. Is Expedia or Uber critical?
Let me spin it a bit, if a new tech comes along and that results in not being able to use delivery apps like ubereats to get food, that new tech should be considered an infringement of rights.
"New means by which individuals purchase food may not inhibit or otherwise reduce their ability existing means of purchasing food" that's how I'd word it. An uber eats ban is not a new mean of buying food but uber eats itself is. If doordash collaborates with payment card processors for an exclusive payment processing for delivery apps, that would be an infringement for example, because that's new tech/means reducing existing means.
Ex A: Ind x ITU, https://cis-india.org/internet-governance/blog/india-itu-res...
Ex B: China x ITU, https://datatracker.ietf.org/liaison/1677/
India: Every phone must install a cyber safety app
Apple: No
India: OK, nevermind
?
Apple has been a massive driver for India's electronics manufacturing boom, because it's Apple that has been strongarming it's suppliers like Foxconn and Envision to start manufacturing (not just assembling) in India - just like how Apple helped turbocharge China's electronics upskilling in the late 2000s and early 2010s which helped Apple vendors like BYD and BOE become global competitors in the 2020s.
Tata Group has also become an Apple vendor now as well for both assembly as well as chip packaging, so they probably helped arbitrate.
Apple and India are also negotiating over a potential $38B anti-trust bill [0] which is a significantly higher priority for both parties.
[0] - https://www.reuters.com/sustainability/boards-policy-regulat...
Read between the lines?
> Given Sanchar Saathi’s increasing acceptance, Government has decided not to make the pre- installation mandatory for mobile manufacturers.
Policy that is hard to pass: SIM binding for all messenger apps and automatic log out every 6 hours for desktop apps.
Even more egregious policy: Pre-install spyware that cannot be disabled.
Withdraw the egregious policy on outrage, and people think they have won the battle.