On January 4, The Tribune published a report that exposed the vulnerabilities of the world’s largest biometric identification database. Rachna Khaira, a reporter with the Chandigarh-based newspaper, “purchased”, for Rs500, a login ID and password that enabled her to access the database managed by the Unique Identification Authority of India (UIDAI). A statutory body, the UIDAI issues the 12-digit unique identification numbers called Aadhaar to Indian citizens.
According to Khaira’s report, an agent representing “anonymous sellers over WhatsApp” created an online gateway through which she could log in to the Aadhaar portal, “and instantly get all particulars that an individual may have submitted to the UIDAI, including name, address, postal code, photo, phone number and email”. For an additional Rs300, said the report, the agent provided “software that could facilitate the printing of the Aadhaar card, after entering the Aadhaar number of any individual”. The Tribune said more than one lakh users may have been able to illegally access the database with the help of such agents.
Soon after the story broke, the UIDAI termed it as a case of “misreporting”, and said there had not been any such data breach. A day later, one of its deputy directors lodged a complaint with the cyber cell of the Delhi Police Crime Branch, which then registered a first information report naming Khaira, the newspaper and others under various sections of the Indian Penal Code, the Information Technology Act and the Aadhaar Act.
The move caused a furore. The Editors Guild of India condemned it, saying it was designed to “browbeat a journalist”. “It is unfair, unjustified and a direct attack on the freedom of the press,” said the Guild.
Ravi Shankar Prasad, Union minister for law and information technology, soon stepped in, saying the FIR was filed against “unknown” entities and that the government is committed to protecting the freedom of the press. “I have suggested UIDAI to request Tribune & its journalist to give all assistance to police in investigating real offenders,” he tweeted.
“When arguments [in cases related to the UIDAI in the Supreme Court] began in 2012-13, many of the apprehensions surrounding Aadhaar were theoretical. Now, most of those criticisms have changed from theoretic to prophetic,” says Rahul Narayan, a Supreme Court advocate arguing cases challenging Aadhaar’s constitutional validity.
Narayan says the alleged data breach makes his case against Aadhaar stronger. There are at least 25 petitions related to Aadhaar before the Supreme Court now, apart from petitions filed in courts across India, questioning its constitutional validity.
Why the data breach matters
Rajeev Chandrasekhar
The UIDAI has information about 1.19 billion citizens—name, address, date of birth, gender, mail IDs, phone numbers, fingerprints and retinal scans. A breach means that at least some of this information is out in the public domain, and that anyone can misuse it.
The breach is serious because of three fundamental reasons. One, it can lead to identity fraud. Take the case of Alf Goransson, CEO of the Swedish company Securitas AB. On July 10 last year, much to his surprise and dismay, a district court in Stockholm declared the 59-year-old bankrupt. But, it was later revealed that he was a victim of identity theft. Someone had hacked Goransson’s digital ID and used it to seek a loan of an undisclosed amount, after which a bankruptcy application was filed against Goransson.
“The identity theft took place in March [2017],” his company said on July 12. “Goransson didn’t know he had been hacked until this week.” Ironically, his company is in the security services business. Also, Sweden was the first country to provide all citizens with personal identification numbers, which they must use in every interaction with the state.
Two, Aadhaar, with its current architecture, is a huge threat to national security. “Irrespective of what the Supreme Court decides, Aadhaar is going to be a major national security issue,” says digital rights activist Nikhil Pahwa, cofounder of SaveTheInternet.in and Internet Freedom Foundation. “This is because the demographic data is now not just with the UIDAI, but also with many private entities, thanks to the e-KYC [‘know your customer’] process. The vulnerabilities are higher because of its linkage to multiple databases. The data is going to keep leaking…. More and more people are going to get compromised for the rest of their lives.”
Three, Aadhaar is being used in ways that goes beyond its original purpose of issuing ID numbers to citizens for direct transfer of subsidies. “Earlier, someone would have to sit and aggregate across multiple shops and places to get these IDs or details,” says Pranesh Prakash, policy director at the think-tank Centre for Internet and Society. “But now, one can sit behind a console and get people’s details, including phone numbers. This kind of centralisation makes the problem worse. It promises something, which it doesn’t deliver.”
Thanks to the government allowing access to private players, the corporates, too, can now use the database’s surveillance capabilities. From e-commerce companies that demand Aadhaar for tracking lost packages, to hotels that accept only Aadhaar as valid ID, the biometric identity system is now being used for anything and everything. Since India lacks a comprehensive data security law, people have to blindly trust these companies with their information, including their financial details. “Designing Aadhaar without limiting its purpose is the real problem here,” says Anivar Aravind, founder and executive director of Bengaluru-based Indic Project, a nonprofit technology initiative.
Vulnerable architecture
Forget measures to protect data, the basic design of Aadhaar is not consistent with an individual’s right to privacy and the need for obtaining explicit consent.
The Airtel Payments Bank case is a classic example. Aadhaar-based payment systems, which are responsible for direct transfer of subsidies, are designed in such a way that multiple bank accounts are linked to the same Aadhaar number, while subsidies are transferred to the last such account that was linked. Airtel used its payments bank license to open bank accounts without customers’ consent, which resulted in the subsidies being transferred, without the customers’ knowledge, to their Airtel accounts. The authorities responded by suspending Airtel’s payments bank license.
Contrary to popular perception, says Rajya Sabha member Rajeev Chandrasekhar, Aadhaar was designed for bureaucrats. “It is increasingly visible that Aadhaar was never designed keeping the citizen in mind,” he says. “Therefore, it was never designed to worry about the sensitivities of people’s data, and their privacy and rights.”
A former technology entrepreneur, Chandrasekhar has been a vocal critic of Aadhaar since it was launched in 2009. Despite being closely associated with the ruling BJP government, he has pressed on with his petition challenging Aadhaar in the Supreme Court. “Yes, it does target subsidies better,” says Chandrasekhar. “But, does it protect the rights of individual citizens? No.”
He believes that the issues now plaguing Aadhaar are the result of complete political incompetence. “The knowledge and understanding of what Aadhaar is has just started getting into the minds of lawmakers and the media. The lesson to be learned here is that it is not just enough to get the best of talents to design such a project, but also that the project has to be in tandem with its political and social objectives.”
The damage created by the Aadhaar breach may be irrevocable, because an individual’s biometric and related data do not change. This is why some people have been demanding a complete shutdown of the database. “It is built to fail,” says Nikhil. “If it fails quickly, then less people will get hurt. If it takes a long time, a lot more people will get hurt.”
Some say the UIDAI urgently needs to delink all Aadhaar data from other systems. “Aadhaar has failed as an authenticator after the data breach,” says a lawyer and digital rights advocate. “So, all such authentication activities must stop. Curtail the damage by delinking Aadhaar from the various [other] databases. The government must ensure that none of the other databases work solely on Aadhaar authentication.” But, what about the data that is said to have leaked already? “In such cases, the only solution is to hold the UIDAI liable for any misuse that might happen,” says the advocate.
Currently, though, there is no established legal remedy to hold the UIDAI accountable for any breach of Aadhaar data. “The moment you make the UIDAI legally accountable, then they will make sure that they will do everything necessary to plug all these loopholes,” says Chandrasekhar. “They will have an incentive to review the design and make sure that the design is foolproof.”
There is also an urgent need to redesign the Aadhaar database in keeping with disruptions in the online world. “The technology in case of a re-architectured Aadhaar must be a continuously evolving one. It should also use domestic technologies and encryptions so that there is no intrusion,” says Chandrasekhar.
Redesigning the database calls for bringing in security features like tokenisation, which involves assigning random, temporary numbers to enable each Aadhaar-based transaction. On January 10, the UIDAI announced a move in that direction. It introduced Virtual IDs, which are 16-digit, randomly generated numbers that will be used instead of the 12-digit Aadhaar to authenticate transactions.
Virtual IDs work on the principle of tokenisation. They are generated each time a service request is made. A user can generate as many Virtual IDs as she wants. The older ID gets automatically cancelled once a fresh one is generated. It prevents the service provider, or any outsider, from misusing an individual’s Aadhaar.
But, there are limitations to Virtual IDs, too. “It’s not about security but it will prevent, say, third parties from being able to combine databases without user's consent,” Pranesh says. The government would still be able to monitor and combine databases. Also, the UIDAI has exempted 'global' authentication user agencies (AUAs), from the ambit of Virtual IDs, which means that such agencies are provided Aadhaar details during their KYC process. Interestingly, the UIDAI has not defined 'global' AUAs.
As evident, India was not ready for Aadhaar from infrastructure, awareness, legal and technological point of view. The architects of Aadhaar belonged to a school of thought where they developed a programme without sufficient technological and legal structure, which indeed, has resulted in data breaches and exclusions of rightful beneficiaries from the system.
The authorities need to revisit the Aadhaar architecture. It also has to hasten the process of formulating data protection laws. Says Chandrasekhar: “Reciprocal legal obligation on all entities that is holding the data—both public and private—is what a data protection committee must try to ensure and put in place.”
