8 April 2017

Four Reasons You Should Worry About Aadhaar’s Use of Biometrics

BY L. VISWANATH 

Aadhaar is premised on the infallibility and security of an individual’s biometric data – her fingerprints and iris scans. But this is just a myth. 

The opposition to Aadhaar mostly centres on the issues of surveillance and privacy. While these are very important issues, the lofty platform on which Aadhaar stands is supported on the myth that biometric based identity is infallible, robust and safe. None of this is true, which therefore brings into question the very utility of Aadhaar, as also the unforeseen complications it may cause. 

Need to update biometric information throughout lifetime 

This is enshrined in sections 6 and 31(2) of the Aadhaar Act: 



Five points are immediately apparent: 

This flies in the face of UIDAI’s repeated advertisements that Aadhaar enrolment is a “one-time” affair. It is not and will never be. 

This recognises the fact that biometrics is a changeable entity. Some of the obviously imaginable reasons are ageing, manual labour, injury, illness, etc. But is there a way whereby a person can look in the mirror or look at his fingers and estimate that he is due for update? There is no objective means to comply with the aforementioned sections. 

Since the promise of Aadhaar as a unique identity hinges on the uniqueness of biometrics, it would be logical to assume that any update to biometric data should go through the same rigour as a new enrolment. Regulation 19(a) under Chapter IV of the Aadhaar (Enrolment and Update) Regulations, 2016 is pretty clueless here:


What biometric authentication, when the purpose is to update the biometrics? Is there implied expectation that the person is supposed to revisit the enrolment centre before all ten fingers and two irises go out of range? 

The conditionality imposed here is without precedent or law, not even for the worst convicts. Aside the ethical question, it is potentially a perpetual source of harassment, with no clearly defined solution. 

Periodic update of biometrics has already been institutionalized for the poorer sections of our society through such things as mandatory Aadhaar authentication for PDS rations. The other India can be easily netted by such things as mandatory eKYC for mobile SIMs from time to time. 

No access to biometric records in the database 

Section 28(5) of the Aadhaar Act disallows an individual access to the biometric information that forms the core of his unique ID. There are four problems with this. 


This leaves no room to verify whether the biometrics have been recorded correctly or not in the first place, when that same information forms the basis of identity. 

This leaves open the possibility of fraudulently replacing a person’s biometric identity. Even the enrolment operator (with a software hack) could upload someone else’s biometrics against another person. 

This is totally unlike other identity documents (like say passport), where all information necessary to serve as proof of identity is printed on the document itself. It serves as receipt for the information supplied and is in the custody of the individual to whom it matters. 

As there is no access to the biometrics in the database, there is technically no means to ascertain beforehand whether one or more of the biometrics is due for update. The only way to guess is after facing an authentication failure on the field. 

Uncertainty of biometric authentication 

Under various sections of the Aadhaar Act (sections 4(3), 7, 8 and 57), an individual may be required to undergo biometric authentication as proof of identity. This is problematic for several reasons. 

Biometric authentication is essentially a method of image recognition (or pattern matching) and always results in a probabilistic score, rather than a clear match/mismatch. This has been clearly revealed in the security breach case involving Axis Bank, Suvidhaa Infoserveand eMudhra. The source of UIDAI’s suspicion was that several authentication requests yielded the exact same score, which could not be possible if live fingerprints were used. 

Variability of the matching score is influenced by a variety of reasons, like the way the fingerprint/iris image is captured, different makes of biometric devices and above all, ageing and resultant changes to the human body. Biometric authentication can thus never serve as a fail-safe proof of identity. It must always be supplemented by an alternative proof, which then defeats the very purpose of biometric identity. 

The entire burden of uncertainty is borne by the individual. If authentication fails on all counts, the only recourse available is to update the biometrics in the database, which is again governed by ambiguous regulations (see part 1). 

Large scale authentication failures are already a reality across states where Aadhaar authentication has been made mandatory for welfare programmes like PDS and pensions. 
Authentication using mobile OTP is sometimes advertised as a failure option to biometric authentication. This is a complete antithesis to biometric identity, as it essentially considers a person’s mobile no. to be his unique ID.
 
Mobile OTP in the context of banking transactions is totally different, as it is used as an additional layer of security over and above PIN/password. Here it is being served as an alternative to biometric authentication, which effectively leaves mobile OTP as the only layer of security. 

Risk of identity theft 

Use of biometric authentication as a means of identity presents a persistent and immitigable risk of identity theft. The UIDAI’s defence is on three counts: one, the database is sufficiently encrypted and protected against breaches; two, biometric collection at the authentication end is encrypted (either in software or in hardware); three, there are penal provisions in the Aadhaar Act to deter any unauthorised access. But the technology behind Aadhaar is such that none of these measures is of any worth. Just consider the following: 

To commit an Aadhaar-enabled fraud, it is sufficient to fake the biometric authentication, so the security of the database itself is not a factor to consider at all. 

At the authentication end, no matter where the biometric image is encrypted, it is always possible to tap the raw signal just prior to that, using a software or hardware hack as may be needed. It is thus easily possible to both skim the biometrics of an unsuspecting user, as also supplant a previously copied image. 

If the UIDAI’s defence against copied biometrics is to flag exact matching scores through successive authentication attempts, it can be easily fooled by adding a small randomization to the sample each time. 

Biometric authentication can even be faked externally, without any software or hardware hack. Fingerprints can be copied from a variety of surfaces (even from the surface of the scanner device itself) and used to create a dummy finger. Similarly, iris image could be skimmed from photographs and supplanted on an artificial eye-like object. It should always be remembered that at the other end is a machine, so a few rounds of trial and error are all that would be needed to perfect the fraud.
 
Through all the above, the only assurance that biometrics are captured from a live individual is the honesty of the operator, which is no improvement from the situation without Aadhaar.
 
What makes biometric authentication particularly risky is that biometric identity once breached is unusable for life. Penal provisions to punish anyone are immaterial here. Contrast this with regular authentication systems based on password or PIN. They could be changed as a regular practice, or at least upon knowledge of breach. 

The potential gains from Aadhaar related fraud are huge, so we should expect people to invest their time, effort and money to stay ahead of the system. 

No comments: