Another Aadhaar Breach: The Govt. Has Its Head Buried in Sand

Reports of Aadhaar security breaches are now a dime a dozen. State govts. have put out Aadhaar numbers on public websites, as have central govt. ministries, only to remove them after an uproar. A report by the Center for Internet and Society said last May that Aadhaar numbers of about 13 crore people have been made public by the govt. through its own portals, besides bank account details of 10 crore persons.

But the recent report in The Tribune of how their reporter bought access to the entire Aadhaar database for Rs.500, and in just 10 minutes, has revealed what many experts had been indicating from earlier on. It is this: quite apart from an ignorant or indifferent govt. that doesn’t think twice before publicly revealing Aadhaar details the threat of data being accessed for unauthorized use by interested entities (from corporate to foreign) has become real.

As an IIT Delhi study has shown, the much hyped hi-tech storage and security system of Aadhaar data has several shortcomings. These can be summarized as follows:

1. Authentication without consent: Since biometric information (like fingerprints) are used to authenticate a user, it is possible to lift fingerprints from the person without consent and use it to authenticate a transaction.

2. Identification without consent: The whole system runs on the basis of revealing your Aadhaar number if you want to access a service. So the number becomes public in many locations. Interested parties can then use the number to identify the person without his/her consent, across various domains.

3. Unlawful access: This is perhaps the most dangerous of all risks, and the one UIDAI is least willing to explain or reassure about. All Aaadhar data is stored in the Central Identities Data Repository (CIDR). When you give your Aadhaar number to say, a phone service provider, they check it out with the CIDR going through an Authentication User Agency (AUA). The AUA in turn connects to the CIDR through an Authentication Service Agency (ASA). All these agencies and their authorized employees will have access to all Aadhar data. Besides them, point of sale (POS) devices also collect and transmit Aadhaar data. Similarly, the Enrolment Station where people enroll for Aadhaar also can have data.

Now, at all these points, people can unlawfully access the data. Isn’t all this data encrypted? It is but here’s the thing: the decryption keys are residing in the CIDR itself. So human managers can access the keys and get access to all data.

In short, there are many ways in which Aadhaar data can be leaked, but the most serious threat is from insider leak. Given the desperate measures adopted by companies to access private data for profiling and target marketing, and also for surveillance and tracking, it is not too difficult to imagine that they can pay somebody to get access and give them the precious data.

Considering that many of the links in the chain described in #3 above are themselves private players, they can themselves be infiltrated and compromised or they may be themselves involved in breaches. Earlier this year it was reported that three ASA’s – Axis Bank, Suvidhaa Infoserve and eMudhra – were given notices of probe by UIDAI for attempting unauthorized authentication and impersonation. UIDAI said in this connection that these three were suspected of storing biometrics of persons with themselves and then using them on behalf of the persons in unauthorized manner.

So, there you have it – the insider using Aadhaar data for illegal purposes.

Apart from all this are the possibilities of outsider or hacker attacks. These have been repeatedly discounted by UIDAI but cyber security experts insist that no security is unbreachable in today’s world.

What is most disconcerting in all this is the govt. and the UIDAI’s complete denial of any problems. Even in the face of the Tribune’s black-and-white expose, UIDAI issued a denial that any data was compromised. The newspaper has rebutted this amazing claim too. And such is the ruling party BJP’s stake in the whole Aadhaar project that immediately after the UIDAI denial, they tweeted that the Tribune story was ‘fake news’!

If the government itself is in denial after so many reports and exposures, the risks for Indian citizens become higher and more dangerous. Already facing problems because of failures in Aadhaar linking, denial of basic rights like food due to technical glitches and crossed wires, Indians have to feel worried about their personal information being used by unscrupulous companies or even intelligence agencies.