Rediff.com« Back to articlePrint this article

Two major risks that make Aadhaar vulnerable

August 09, 2018 13:54 IST

The persistence with Aadhaar, to the exclusion of all other identity systems, is a dangerous path and should be avoided if the risks of digital vulnerability are to be eliminated.

Till such time that the ownership of the Aadhaar system is transferred to an independent body, concerns over Aadhaar’s digital vulnerability will persist, says A K Bhattacharya.

Illustration: Uttam Ghosh/Rediff.com

Social media as a platform for settling policy disputes is an idea whose time has not yet come, or perhaps should never come.

Exchanges over social media often tend to digress from the main subject and degenerate into either petty nitpicking or grandstanding with no focus on the central issues at stake.

 

A lot of heat and dust is generated, but little light is shed to help conclude a policy debate.

Yet, many sensible people in responsible positions have of late triggered a debate on social media to make a point or establish the case for a certain view or policy.

Telecom Regulatory Authority of India chairman Ram Sewak Sharma is one of them.

Mr Sharma is a strong supporter of Aadhaar, a 12-digit biometrics-based unique identity number issued by the Unique Identity Authority of India (UIDAI) to all residents of the country.

He was the UIDAI’s first director general from 2009 to 2013 and closely involved with the idea of an identity number that was supposed to be robust enough to eliminate duplicate and fake identities and could be verified and authenticated in an easy and cost-effective way.

However, its digital robustness and vulnerability to data breaches have continued to be a matter of debate since its inception in 2009.

That debate reached a new high last week. In response to a recent challenge from a social media participant, Mr Sharma put out his Aadhaar identity number on his Twitter post in a bid to prove that the Aadhaar system was robust and immune to any digital breach without any risks even when one makes the number public.

It was an open challenge to anybody to use Mr Sharma’s Aadhaar number, hack into his identity details and show how that could be misused.

This was also his way of telling all the detractors of Aadhaar that all was well with the identity system and it couldn’t be breached.

In the days to follow, many social media posts were agog reporting how Mr Sharma’s personal details like his phone number, email address and permanent account number could be accessed on the basis of his Aadhaar number.

What’s more, one social media post talked about how Rs 1  could be deposited in Mr Sharma’s bank account.

Mr Sharma was not at all rattled by these revelations. And rightly so.

The details of the data made public by his detractors do not conclusively establish that Mr Sharma’s Aadhaar identity was breached.

Such information could be available from a variety of other publicly available sources.

Even the payment of Rs 1 to his account is possible without any compromise with his Aadhaar identity.

So far, at least, Mr Sharma’s Aadhaar details have not been breached.

This is a telling comment as much on the efficacy of the community of ethical hackers, who tried to breach Mr Sharma’s identity, as on the quality of debate that usually takes place on social media.

Just as the detractors of the Aadhaar system failed to conclusively prove their point, the social media platform also proved to be completely unfit for carrying out any serious or healthy debate to settle a policy dispute of this nature.

And yet it would be patently wrong to believe Mr Sharma’s assertion that everything is hunky-dory with the Aadhaar system and the identity numbers have no digital vulnerability to worry about.

Mr Sharma’s Aadhaar identity may not have been compromised, but it would be wrong to conclude that there are no risks in such a system.

The risks are not only on account of the much-talked-about privacy issues. Hopefully, privacy concerns would be addressed by the proposed law based on the report submitted by Justice B N Srikrishna.

But there are other risks as well and those should not be ignored.

It would be useful to highlight just two such risks in light of the recent controversy.

One, the Aadhaar system resides in a single database. It is always risky to keep the entire country’s biometrics-based identity details in a single database, making the task of a hacker or an enemy country much easier.

These risks can multiply when the Aadhaar number becomes the only and compulsory identity proof for all residents in the country.

Supporters of Aadhaar would argue that it is not an identity proof, but an instrument for authenticating one’s identity.

But the manner in which Aadhaar has come to be used in this country over the years, it has essentially been reduced to be used as an identity proof.

And, it makes sense for any governance structure to have in place more than one identity system.

Yes, authenticating an identity is a must.

But why should the honour of an authenticated identity be bestowed only on Aadhaar?

Why should not the same rigour of authenticating an identity be followed before a permanent account number for income-tax purposes or a driving licence is issued?

A governance structure that is dependent solely on one identity system is certainly weaker than that which has more than one equally robust identity system.

The persistence with Aadhaar, to the exclusion of all other identity systems, is a dangerous path and should be avoided if the risks of digital vulnerability are to be eliminated.

The second risk emanates from the organisational structure that houses the Aadhaar database.

Whatever be the regime, the identity database of the entire country will remain under the direct supervision and control of the political executive.

Why should such an important database not remain under a Constitutionally mandated independent body?

There is no denying that the identity database of the country is a huge asset for anybody who has control over it.

It would be safer if the repository of such a database is an independent body with a status which makes it as independent as say the Comptroller and Auditor General of India or the Election Commission of India.

Till such time that the ownership of the Aadhaar system is transferred to an independent body, concerns over Aadhaar’s digital vulnerability will persist.

A K Bhattacharya
Source: source image