From data security to use of biometrics: Here’s everything you need to know about the Aadhaar case
UIDAI says database is fully secure while experts argue this is a very limited view of data security.
Disagreements over Aadhaar data security and its implications for privacy continue. Whether Aadhaar is fully secure or fundamentally flawed depends on where one stands. The disagreements begin with definitions. For instance, what is a data leak? It extends to issues such as the use of biometrics for authentication and repercussions of Aadhaar numbers leak etc. Supporters dismiss as rare the instances critics highlight as Aadhaar’s vulnerabilities.
To understand the issue, here is a look at the pros and cons of the debate.
First: What is data security?
UIDAI view: Database is “fully safe and secure”
The Unique Identification Authority of India (UIDAI), which is mandated to issue the 12-digit unique identity numbers — Aadhaar — has maintained that data they have collected is “fully safe and secure” and that there has not been a “single breach from its biometric database”. This is the information you share at the time of Aadhaar enrolment.
Critics view: Ecosystem is the challenge
Experts argue this is a very limited view of data security. The issue, they say, is not just about the central database. It concerns the entire ecosystem that uses Aadhaar. Even if the central database is well protected — powered by strong security and encryption mechanisms — UIDAI’s control over entities that are interacting with the core database starts weakening as it moves outwards to the periphery. That creates problems, critics say, especially as identity-related information can be misused.
“In any kind of system, the basic core will always be secure, but any such core system has to interact with a larger ecosystem and this ecosystem always bring the problem to the table,” said Vinayak Godse, director of the Data Security Council of India, National Association of Software and Services Companies’ premier data protection organisation, in an interview to HT last year.
Second: Aadhaar number ‘leaks’
The ecosystem challenge is reflected in the most commonly reported Aadhaar “leaks”— government websites inadvertently publishing millions of Aadhaar numbers on their websites. In July 2017, a website the Jharkhand Directorate of Social Security revealed personal details, including the Aadhaar numbers, names, addresses, and bank account details, of more than a million beneficiaries of the state’s old age pension scheme.
UIDAI view: Publication of Aadhaar numbers does not compromise privacy
According to the Aadhaar Act, making the unique identity numbers public is illegal.
“Although Aadhaar has to be shared with others, it being personal information like mobile number, bank account number, PAN card, passport, family details, etc, should be ordinarily protected to ensure privacy of the person,” UIDAI said in a tweet.
But UIDAI argues that in case someone gets to know your Aadhaar number, it does not compromise privacy. Aadhaar number in itself does not reveal any information about an individual, the agency says, just like a bank account number on its own does not reveal one’s financial information. “Aadhaar number, though a personal sensitive information, is not a secret number,” UIDAI clarified in a tweet. “Share freely but not in public domain.”
Critics view: Publication of Aadhaar numbers can lead to “identity theft”
Critics say the non-secret nature of an Aadhaar number opens up avenues for fraud, especially because it cannot be changed. It is permanent.
Experts say revelation of an Aadhaar number makes individuals vulnerable to identity theft. That happens when an imposter obtains key pieces of personally identifiable information to impersonate an individual.
Consider this : In February, police found that Tarun Sureja, a 32-year old Ahmedabad resident, allegedly forged an Aadhaar card belonging to a dead man to con a finance company of ?1.53 lakh. In March, a fake Aadhaar in the name of a Bollywood actor, Urvashi Rautela, was used to book a hotel room in Mumbai.
“Any data about you becoming public is a risk. With Aadhaar, the risk increases 100 times as it can be used for everything,” Srinivas Kodali, an independent security researcher, said.
New feature introduced: For additional security, the UIDAI has now introduced “Virtual ID”. It is a 16-digit temporary identifier, which an Aadhaar holder can generate on UIDAI’s website. It can be produced for authentication or verification purposes instead of disclosing the actual 12-digit Aadhaar number.
Third: Should biometrics be used for authentication?
The use of biometrics — fingerprints and iris data — for authentication is also contentious.
UIDAI view: Biometrics are safer than passwords. UIDAI does not consider the use of biometric authentication as a problem.
“People must know that even the theft of biometrics in a rare eventuality will not put one to the same level of risk as the leakage of a password,” UIDAI CEO Abhay Bhushan Pandey argued in an Indian Express op-ed. Physical signatures too fall into the category of biometrics, he wrote. “We all widely use our physical signatures to authenticate documents and transactions. Have the critics shunned the use of thumb prints and signatures? We continue to use them because there are additional checks in the system.”
Critics view: Use of biometrics as an authentication factor is “conceptually flawed”. Experts point to two major arguments.
First, biometric information, even though unique to individuals, are not secrets. Passwords are secret, biometrics are not. Technology is available to lift your fingerprint from a book you are reading and even from images posted on the internet. In 2014, hackers created fake fingerprint of German defence minister Ursula von der Leyen using high-resolution pictures she had posted on social media.
Second, you cannot change your biometrics, even if its compromised. This is equivalent to someone getting access to the password of your email account. In the case, you can update your password to protect your account. But you cannot change your fingerprints.
This flaw has been exploited. In July, a mobile SIM card operator in Hyderabad was arrested after he fraudulently activated over 6,000 SIM cards using the Aadhaar-based eKYC system. The accused downloaded Aadhaar credentials from Telangana government’s registration and stamps department website. He forged fingerprints by downloading property registration documents and used the combined dataset set to conduct unauthorised eKYC transactions.
Fourth: Incidents raising questions on Aadhaar security
At least four major cases have highlighted security issues in the Aadhaar’s architecture.
Suvidhaa-Axis Bank breach: replay attack
In February 2017, UIDAI filed a criminal complaint against three companies — Axis Bank, Suvidhaa Infoserve and eMudhram — after it had found that an individual had conducted 397 unauthorised biometric transactions between July 2016 and February 2017 using a stored fingerprint.
The incident exemplified Aadhaar’s “insider attack” challenge, wherein an attacker can collude with an insider who has access to various components of the Aadhaar system to conduct rogue transactions.
The UIDAI said this was an “isolated case” where an employee attempted to “misuse his own biometrics”. The agency says this problem —using stored biometrics for authorisation — will be eliminated by the new “registered devices”, which has additional security measures.
e-Hospital case: unauthorised eKYC transactions
In August 2017, a developer created a replica of the official e-Hospital app — used by patients to book appointments at government hospitals — to access Aadhaar numbers and personal details of thousands of people. The UIDAI servers were unable to distinguish between legitimate eKYC (“Know Your Customer”) requests for Aadhaar data from e-Hospital app and unauthorized requests from the developer’s free android app – Mygov.
In January, the Tribune reported it was possible to get “unrestricted access to details for any of the more than 1 billion Aadhaar numbers” by purchasing hacked software available for just Rs 500.
UIDAI called it a case of “misreporting”, claiming there had been no Aadhaar data breach. “UIDAI maintains complete log and traceability of the facility and any misuse can be traced and appropriate action taken. The reported case appears to be an instance of misuse of the grievance redressal search facility,” the agency said in a statement.
Vulnerability in enrolment software
A recent HuffPost India investigation found an “inexpensive, freely available, software patch” exploits vulnerabilities in Aadhaar’s enrolment software, letting unauthorised people “alter information stored in the database and enrol new users at will.”
The UIDAI contested the portal’s claim that information can be introduced into the Aadhaar database. It said UIDAI matches all the biometric (10 fingerprints and iris) of a person enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing an Aadhaar.
How serious are these flaws?
“Whether Aadhaar leaks are a security issue or not can only be assessed with serious security audits,” Kodali said. But details about the audits are not publicly available. “Whosoever is supposed to audit us is auditing us,” Pandey, the UIDAI CEO said in an interview with HT last year. “But the names can’t be disclosed due to security reasons.”