Rediff.com« Back to articlePrint this article

Is the largest biometric database in the world also its leakiest?

January 23, 2018 08:33 IST

The need of the hour, as the Supreme Court readies to rule on the constitutionality of Aadhaar, is for the UIDAI to fix the bugs, says Geetanjali Krishna, in the second and final part of her series.

Illustration: Dominic Xavier/Rediff.com

Part 1: Aadhaar for every Indian? Or just a select few?

 

In the garage of a DDA apartment in South Delhi, activists of the Satark Nagarik Sangathan, an NGO that uses the RTI law to enforce transparency in government functioning, explain the latest in the Aadhaar saga to Sumitra Devi, a worried pensioner in a slum.

 

“Now, you can apply online for a Virtual ID, or VID, which you can use in place of your Aadhaar card to keep it safe,” they say.

“It took me so long to get the Aadhaar card,” says the illiterate slum-dweller nervously.

“Is this new number compulsory? Will my pension be stopped again if I don’t get it?” They struggle vainly to allay the old lady’s fears.

“If this number is only available online, how will someone like me get it?” she asks. “I have no access to a computer … Why is the government imposing such difficult rules on people like me who can barely make ends meet?”

Not far away, the middle-class Kapoors worry about Aadhaar-linked data breaches, wondering how the hastily introduced VID will help people like them, who have already seeded their UID with their bank accounts, mutual fund investments, and phone numbers.

Having read how easy it was for journalists to “buy” Aadhaar data, they wonder what other fraud their data is vulnerable to.

Plenty, it seems. In December last year, Airtel Payments Bank had its eKYC (electronic know-your-customer) licence temporarily suspended by the Unique Identification Authority of India (UIDAI) for allegedly opening bank accounts and force-seeding them with Aadhaar numbers without the informed consent of the customers in question.

In September last year, the Uttar Pradesh police busted a Lucknow-based gang which cloned the fingerprints of authorised Aadhaar enrolment operators to create ‘fake’ Aadhaar numbers.

“First, using biometrics as passwords is a flawed concept,” says Subhashis Banerjee of IIT Delhi.

“Hackers the world over have shown how easy it is to clone biometrics -- without the victim even getting to know!”

In 2016, he co-authored a paper with IIT Delhi colleagues Shweta Agrawal and Subodh Sharma, Privacy and Security of Aadhaar: A Computer Science Perspective, which was the first to suggest VIDs as a means of protecting an individual’s Aadhaar number.

The UIDAI hasn’t yet disclosed how this will pan out, and how the country’s vast majority of illiterate poor like Sumitra Devi will generate this number.

Meanwhile, the computer science researcher is raising serious questions regarding the design framework upon which rests the aadhaar (foundation) of Aadhaar.

Banerjee questions the idea of obtaining “informed consent” from a citizen before using his/her data.

"People like me, sitting in IIT, can’t fully comprehend the consequences of sharing data -- so even if a villager in Jharkhand agrees to let their data be used, we can’t call their consent informed,” he explains.

Further, there are, today, secure technologies to protect access to data and prevent manual inspection of it by the agency that holds it -- which the Aadhaar framework doesn’t seem to have incorporated yet.

This has immense consequences for data protection and privacy: Banerjee points out that these structural flaws afflict all the government-held databases -- income tax, driving licence and banks included.

If the UIDAI is able to set up adequate data protection measures, then the VID could be a useful measure (think of it as being akin to Uber routing mobile calls between drivers and customers through a special line so that drivers have no access to the customer’s real number).

This discussion, many activists believe, is more academic than practical.

Today, as data has become more valuable than gold and oil, Aadhaar, the largest database of information in the world, risks becoming a sitting duck for hackers.

“The single biggest concern is the use of a unique ID everywhere, making it possible to build tradeable databases of individual information,” says the Internet Freedom Foundation’s Kiran Jonnalagadda. “The law lacks teeth to regulate such trade…”

Along with other activists, Jonnalagadda started a website www.speakforme.in, for citizens to complain to their MPs, banks, mobile operators, and other government service providers about repeated calls and messages from various entities exhorting them to link their Aadhaar numbers with various services.

Since its launch in December last year, over 34,000 emails have gone out. “VIDs would have helped if they were present from the start, but they were not,” says he.

“The most vulnerable sections of the population, individuals with no access to the internet or an Aadhaar centre in their neighbourhood, will suffer the most as they will be unable to obtain the benefits of VIDs…”

Bhardwaj and her cohorts in the Satark Nagarik Sangathan echo these sentiments.

“The introduction of the VID seems to be a knee-jerk reaction of the UIDAI to the recent debate on threats to privacy in the Aadhaar database,” says she.

“We’re at a loss to explain to the slum community, where we work, now totally dependent on Aadhaar to access government welfare benefits, how to go about getting this new number!”

To Banerjee, the greatest threat to data is from within the system, which is why it is imperative for the UIDAI to set up tamper-proof access control mechanisms.

“This would entail a cryptographically signed proof of authority to access data in the system, with a well-protected authorisation trail,” he suggests.

The January 2018 breach of Aadhaar data suggests such mechanisms aren’t in place yet. As Jonnalagadda recently tweeted: “Aadhaar is designed to protect the State from citizen fraud.

"Nothing in Aadhaar’s design protects the citizen from State fraud…”

The insecurity this has led to is exacerbated by the notions of the VID and “informed consent” -- which suggest that the onus of protecting one’s own data lies not on the agency which has been entrusted with it, but on the individual himself…

The need of the hour, as the Supreme Court readies to rule on the constitutionality of Aadhaar, is for the UIDAI to fix these bugs.

Otherwise, the largest biometric database in the world could also earn the dubious distinction of also being its leakiest.

Geetanjali Krishna
Source: source image