It’s okay getting help

Nick Grossman of Union Square Ventures:

There is a lot of stigma around getting help, in particular around getting psychological help.  Like, what’s wrong with me that I need this, or why can’t I just deal with this on my own, or with my friends, or with diet and exercise.   It took me a while to take the plunge and get help for the things I needed help with…

… it would be ridiculous to expect anyone who wants to excel at anything to do it all alone — the Patriots don’t coach themselves, and Roger Federer doesn’t go it alone either. In those cases, it’s so obvious that help is good and necessary, and that’s true for your mind, your health, your finances, etc.

We shouldn't judge seeking help even as we get better at managing these aspects of our lives. Our education leaves us woefully underprepared for actually dealing with life, and societal conditioning, with its emphasis on individuality, independence, assertiveness and achievement, is pernicious.

Misunderstanding Aadhaar as proof of identity

This week, I collected my passport from the collection centre at BKC in Bombay using the credit-card-size version of my Aadhaar card as proof of ID. Just to see if it would work – no problems at all.

This is serious. I could have forged another person's Aadhaar card easily and picked up their passport, or someone could have forged my card and collected my passport. Mere possession of an Aadhaar card means nothing; it needs to be verified via any of an OTP, fingerprint scan or iris scan.

Or take this message SBI has sent its customers, demanding a photocopy of their Aadhaar card in order to link their A. number to their bank accounts:

It is trivial to link your Aadhaar number to someone else's bank account, or have your account linked to another's number.

When the largest bank in the land doesn't understand fundamentally how Aadhaar works, we have a big problem [1].

The government needs to launch an aggressive educational campaign if it is to build confidence in the mandatory use of Aadhaar for public and private services.

[1] If done right, Aadhaar-based verification (or linking) is far more efficient than processing paper. Imagine if I could walk into an SBI branch, type in my bank account number and Aadhaar like you do at web check-in counters, scan my finger and walk out. It would take less than a minute per person and no staff. Each branch likely has a fingerprint scanner already given that it's how they sign up new accounts.

Small Identity

The solution is to give your identity a very small footprint. The fewer things you define yourself by, the fewer constraints you have on further growth.


Fixing Aadhaar eKYC and other leaks

Personally identifiable information (name, bank account, aadhaar number among others) has been leaked a number of times from government websites (“Details of over a million Aadhaar numbers published on Jharkhand govt website“) and from companies with Aadhaar-based eKYC (“Jio users’ names, email addresses & more leaked online, but it is in denial“).

Because these departments and companies have gotten this information from the UIDAI’s Aadhaar infrastructure, calls for de-linking Aadhaar from other customer accounts grow stronger with every leak. This is barking up the wrong tree:

1. In Reliance Jio’s case, the company (likely registered as a KYC User Agency, KUA) requested data from UIDAI’s Aadhaar database by sending it the customer’s Aadhaar number. The customer then signalled his/her assent by having a fingerprint scanned and sent to UIDAI, which verified it and then sent Jio the KYC data packet. This packet has the personally identifiable information in question – name, date of birth, gender, phone, email, address and photograph – which serves as proof of identity and address, and which has since been leaked. (see Aadhaar eKYC API 2.0 specification, PDF)

I don’t see why any company that registers itself as a KUA to perform an eKYC should receive this data about the customer. UIDAI ‘knows’ the customer, and Jio (or any other company performing eKYC) trusts UIDAI. The KUA gains nothing from keeping its own copy of the data other than automatically filling in its customer profile. KYC is completely different from customer signup; data from one shouldn’t be used for another. As a customer I may want to give such entities a different phone number or email address than the one on record with UIDAI (which is likely my private, primary one).

The Authentication API (which returns a yes/no answer to prove identity) can be extended for KYC purposes: for example, whether a customer is 18 and over – to sign up for a SIM card – is also a yes/no question that UIDAI can answer. Nothing is gained by sending the KUA the exact date of birth.

2. Even if the entity receives no personally identifiable information (PII) from UIDAI, it still has the customer’s Aadhaar number, linked to a customer profile. When that data is breached, the customer’s PII and Aadhaar number are now public. Ideally, that shouldn’t be a security risk; any transaction involving Aadhaar requires either an OTP to the registered mobile number or a biometric scan as authentication. Simply showing up with an Aadhaar card is no proof of identity, nor is it meant to be – that is why the Aadhaar card is printed on simple paper and not on a smart card with a PIN – it’s laughably easy to forge an Aadhaar card because possession means nothing.

It turns out though that this isn’t widely known or understood in India. Therefore an Aadhaar card’s treated just like a driver’s license or voter ID card or PAN card: if the photograph on the card matches the holder’s, it’s taken as proof. This – a fundamental misunderstanding of how Aadhaar’s designed to work – is why such a data leak is problematic.

It is this misunderstanding we should tackle, not the linking of Aadhaar to mobile number, bank and other accounts. There are tremendous benefits to having a ubiquitous national ID that is digitally – and only digitally – verifiable – just look at how efficient Estonia’s interfaces to government are; it was the first country to design and issue such digital national cards over a decade ago. Aadhaar’s design in many ways is superior to Estonia’s (which relies on a chip and PIN card). Let’s stop making Aadhaar the bogeyman and identify and resolve the actual problems of misunderstanding and misuse.