Ever since the personal details of TRAI chief, Ram Sewak Sharma, were leaked after he dared hackers to inflict any harm by publicly tweeting his Aadhaar number, the country has been abuzz about the issue of privacy, which means Aadhaar is back in the limelight for all the wrong reasons. Reports about vulnerabilities in UIDAI’s data system aside, there is a lot more harm which can be inflicted by just knowing a person’s Aadhaar number which borders on the lines of identity theft.
Many mistakenly claim that simply knowing someone’s Aadhaar number is not enough, but as we can see it’s not only enough but can actually be more than enough at times for criminals. In the wake of the RS Sharma incident, Nilesh Trivedi, a software expert explained in detail the harm criminals can inflict on you by just knowing your Aadhaar number, and trust me when I say this, the eye-opening information will send a chill down your spine.
Once a malicious party knows your Aadhaar number, they can do a quick Google search to know whether someone has previously uploaded Aadhaar-linked personal details about you on the internet and left the documents unsecured, and if the answer is yes, they now know your name and other identity details, which also opens the doors to your social media identity.
Or worse, your mobile number is lying there exposed on some page of the internet. And if a person knows his way around the internet, he can access your Aadhaar details, and of millions of other people which are openly listed on government websites, which also includes academic data, medical history, address and DOB, social scheme benefits, etc. And as we recently witnessed in the case of the TRAI Chairman, no less than 14 pieces of information such as his address, PAN card number, mobile number, etc. were exposed by just using his Aadhaar number.
But let’s assume that only your Aadhaar number and mobile number are accessible to a person with malicious intentions. Once, they have your mobile number, a cloned SIM can easily be created by criminals in the underground market, which can now be used to receive OTP for a host of tasks ranging from creating a fake email account to accessing social media platforms such as WhatsApp, Facebook, etc. which means the victim’s interests and social media connections are all now accessible. But there is not where it ends.
Since the phone number is linked to mobile payment platforms (read: UPI), it can now be used to access the victim’s purchase history, and also reset your password on various platforms by sending a forget password prompt and receiving the reset OTP message, all thanks to 2-factor authentication. Also, one can subscribe the victim to a paid service without their consent.
The Aadhaar APIs, allow the agency to decide which auth factor to use and what to use the authentication for, @rssharma3 gets no say in it. Consent is completely missing. This is what many people found during demonetization, when somebody else had claimed their 4500 Rs cash.
— Nilesh Trivedi (@nileshtrivedi) July 28, 2018
As for Aadhaar, since the intrinsic APIs provide third parties a free hand to employ an identification technology rather than a secure user authorization channel, the idea of consent is virtually non-existent. Which basically means, even if your biometrics are unique, the demographic profiling employed by the Aadhaar system will be sufficient to mimic the victim’s identity on third-party platforms.
You can't cover this technical flaw with laws – because, by definition, criminals do NOT follow the law. UIDAI architecture treats citizen as the suspect, but they have put too much trust in the agencies. (and of course themselves).
— Nilesh Trivedi (@nileshtrivedi) July 28, 2018
But there is another major factor which comes to play here, and that is the level of authentication. As per Trivedi, a majority of users haven’t locked their biometrics, which essentially means that there is effectively no layer of authentication required when it comes to Aadhaar, which is something Airtel employed to open Airtel Payments Bank account of people who bought new SIMs, an act for which the company was later slapped with a hefty fine.
And an even worse part is that Aadhaar is unique and irrevocable, which means once your privacy has been compromised, there is no turning back. The reason? One can discard his phone number and interconnect all platforms with his new mobile number, but the same can’t be done with the UID, so the cycle will continue.
The EPFO has already shut down the Aadhaar seeding portal once in the past after it was revealed that hackers stole data, so what more assurance is there that it can’t happen again on a massive scale?
The only lesson here is that UIDAI should quit being in denial mode and start implementing measures which can prevent a mass data calamity. At the moment, Aadhaar has become a privacy nightmare, having once been touted as the most ambitious biometric identification initiative in the world.
But it is not just the cyber security and its implementation that need to be prioritised; there is also a need for stricter regulation on how biometric data is collected, especially after reports of tools being sold online that can bypass Aadhaar’s biometric security protocol.