10 January 2018

Government Mustn’t Be In Denial Over Aadhaar Security; It Is Real, But Largely Fixable

by R Jagannathan

The Unique Identification Authority of India and the National Democratic Alliance (NDA) government need to get off their high horses and accept that the security ring around Aadhaar is not as rock-solid as they want us to believe. If they remain in denial, they will be compromising the biggest thing India has ever created, the world’s biggest identity establishment platform that benefits both poor and rich – the former to obtain state benefits, and the latter to create customers where they need to be clearly identified as real.


The government is making a serious mistake by pushing it too hard without fixing the privacy and security issues to everybody’s satisfaction. The unstated fear, that it needs to be made ubiquitous before the Supreme Court pronounces its verdict on its constitutionality, is unwarranted. With over 1.1 billion numbers already issued, Aadhaar is already too big to fail. Even if the Supreme Court decrees that in future the Unique Identification Authority of India (UIDAI) can collect biometrics only with consent, or that Aadhaar cannot be made compulsory even for receiving any government benefit, it will remain the ID of choice purely because it will be the easiest one to obtain. By pushing Aadhaar with undue speed, the government is only building needless resistance to it.

The simple point is this: by making Aadhaar optional like getting a Gmail or a Facebook ID, the government will, in fact, ensure its quiet adoption even while it fixes the issues surrounding it. An expert committee under retired Supreme Court judge B N Srikrishna is already looking to create a strong data protection law, and this needs to be complemented by an external audit of UIDAI’s own internal data security protocols.

While it may be true that biometric data cannot be easily obtained, everything else can, as a Chandigarh Tribune journalist found out recently. She procured illegal access to Aadhaar data for as little as Rs 500. So, going after the journalist, and pretending that it is only the odd crook linked to the organisation who may be compromising security and privacy, is neither here nor there.

The vulnerabilities include the following:

First, there are corporate and other users, who use the Aadhaar number to authenticate your identity. Fingerprint machines are used to do this. But how difficult would it be for the same fingerprint device to be simultaneously hooked to a private database? And even while authenticating IDs, companies can access some of your details: name, address, gender, date of birth, etc. So, when a Vodafone, Airtel or Paytm seek to validate a new customer, they can electronically download the details required for the eKYC (electronic know your customer) process. This data is now in private hands, and can be used and even sold to outsiders. Data protection needs to extend far beyond just UIDAI, to all its users.

Second, there could be relatively less protected information logs with UIDAI itself. An article in Scroll.in suggests that when companies seek authentication, UIDAI creates logs related to this query. While the authority is not supposed to retain details of who sought what information about whom, enough logs remain for a while for an intrepid hacker to infer personal information about the person and his history. One is not sure if this vulnerability remains. It means unless the related logs are destroyed immediately after authentication, and multiple layers of internal security protocols are regularly checked and made foolproof, chances of data leaks cannot be ruled out.

Third, there are state governments and public sector organisations, which sometimes publish the names of beneficiaries along with their Aadhaar numbers. A Jharkhand government website published details of over a million Aadhaar numbers, including bank details, of old age pension beneficiaries last year. Clearly, this is simply about a lack of privacy awareness among government staff, and this needs remedying quickly.

What all this suggests is that there is a climate of carelessness and non-accountability among the users of Aadhaar data and authentication. Also, when private sector users of eKYC obtain details from the Aadhaar database, they are effectively getting to build their own database, which can then be mapped to service usage and other behavioural details of their customers to create an even more comprehensive database on their clients, which again remains relatively unprotected.

At the end of the day, Aadhaar is not the villain, for the details it is gathering are often no different from what many private parties do even today for various purposes. When you use fingerprints to unlock your phone, your biometrics are given to the phone company. When your apartment complex uses fingerprint validation for access, the same thing happens. Property registration processes involve photographing you at the registrar’s office. Publicly placed cameras in lifts, corridors and streets record your movements regularly, and one does not know who views these videos of slices of your private life. When Uber gives you daily rides, it knows where you are going and when, and, over a period of time, it can literally know what you are about. Your bank or credit card company owns data about what you buy, when you buy, and what you may be worth. This data is yours, and needs to be protected, but there is no such law that can effectively do so.

Aadhaar is no different – except for one thing. It is being mandated in many places by government. The question the government needs to ask itself is this: would Aadhaar be less used if it were optional for everything except the receipt of government benefits? The answer is the same as for Gmail or Google maps. As long as it is free, and there is value in the ID authentication, people will adopt it. Only the secretive rich may avoid it, but the rich are easy to spot. Making it compulsory for all kinds of reasons is what makes people resistant to Aadhaar.

A larger point is worth making: all security systems can ultimately be breached or hacked. This means security must be in continuous upgrade mode. UIDAI needs some ethical hackers on its payroll helping it go beyond denials.

No comments: