The idea of creating a universal identity system linked to biometrics sounds like something most smart nations would have in the future. Prima facie, the task is monumental and security has to be paramount.
And if that database of IDs also links sensitive banking credentials of every enrolled citizen, and also their primary mobile numbers, the security around it has to be that much tighter.
Unfortunately for India, the database security is so weak that hacking it feels like using a sledgehammer to drive in a nail. It’s just too much power for the job that can be accomplished in a paltry sum of Rs 500, without an iota of hacking knowhow. And the biggest thing to worry about is how Aadhaar has turned into a tool for state surveillance.
Millions of Indians need to be concerned about Aadhaar, and it’s not just because of one or two reasons. It’s a whole host of problems for India’s national identity program. Let me take you through a brief history of Aadhaar, starting from the point of when warning bells began ringing.
A very brief history
Aadhaar was conceptualized as a universal ID system that could allow citizens to avail government services without needing multiple IDs and without the use of middle-men. The idea was to cut friction which had so far hampered the growth of the digital economy and governance, while also removing the pain-point of middle-men or bureaucrats who were thought to be the core reason for corruption and public funds embezzlement. On paper, the idea was grand, though even in the earliest days, privacy concerns were raised – fears that would eventually prove to be true.
It started off smoothly, but the leaky process of registering citizens led to lakhs of fake Aadhaar cards, and the government had another problem on their hands. Fake Aadhaar cards could easily be linked to real bank accounts by criminals to siphon off funds meant from the intended Aadhaar-linked bank account. In addition, by using fake Aadhaar cards as ID proof for new mobile numbers, criminal activity could easily be masked.
So the Indian government was forced to make a new move. This time it compelled citizens to link bank accounts to Aadhaar to stop such fraudulent linkages. And similarly for mobile numbers, too.
But the problem ran far deeper than just simple fake Aadhaar cards, especially when real Aadhaar data was displayed bare-naked by government websites for just about anyone.
Government Leaks Aadhaar
In May 2017, a report from The Center for Internet and Society, which revealed that Aadhaar data of over 130 million people, including bank account number of over 100 million folks, has been leaked by government websites due to implementation poor security measures.
Funnily enough, even the Aadhaar application form of Indian cricket’s former captain, MS Dhoni, could not evade the leaks of 2017, which truly pushed the privacy issue into the national limelight.
— Sakshi Singh ????????❤️ (@SaakshiSRawat) March 28, 2017
Then in July 2017, a month when nothing particularly good happened for Aadhaar, an IIT Kharagpur graduate was accused of hacking into UIDAI’s Aadhaar database by exploiting the vulnerabilities in another government project the Digital India app. But this is not the first Aadhaar-related app to be easily hacked, as we will see.
Telcos Misuse Aadhaar
But by now, Indians had already been required to link bank and mobile numbers to their Aadhaar. This issue generated huge controversy because of its mandatory nature, and called into question the legitimacy of Aadhaar.
Also in July last year, a website called ‘magicapk.com’ had leaked the personal data of around 120 million Jio subscribers who activated a Jio connection by using their Aadhaar card, during the telecom carrier’s early phase of market entry. Maharashtra police arrested a computer course dropout from Rajasthan in alleged connection to this leak, but not much else has come into the public light since then.
In December 2017, Jio’s arch-rival Airtel came under the Aadhaar privacy scanner. UIDAI had to suspend Airtel and its banking arm’s Aadhaar-based e-KYC verification process after it was found that Airtel used customer’s Aadhaar e-KYC details submitted for SIM verification to open Airtel Payments Bank account for over 3 million customers without their ‘informed consent’.
Fake Aadhaar Cards
A few months before Airtel’s admonishment, in September 2017, another wholly anticipated incident tarnished Aadhaar’s image further. The Uttar Pradesh Special Task Force (STF) busted a gang of criminals involved in making fake Aadhaar cards (Unique identification numbers, anyone). Their method of doing so? Well, the gang hacked UIDAI biometric security settings through cloned fingerprint scans. UIDAI itself has been forced to revoke the database access privilege of over 5,000 designated officials over reports of Aadhaar data being sold for paltry sums.
Government Leaks Continue
Around November 2017, the opinion against Aadhaar truly started swelling after a spate of security mishaps and data breaches. But that was just the beginning. Another 200 government and state websites were found to have publicly listed personal information of Aadhaar beneficiaries for an unknown span of time before being removed, something which UIDAI too had to admit.
Rs 500 for a Billion IDs
The most alarming event which laid bare UIDAI’s claims of its database being ‘highly secure’ was reported in January 2018. A sting operation was conducted by the Tribune where it was discovered that one just needs to pay Rs. 500 to access over a billion Aadhaar numbers created so far, alongside the other personal details associated with them.
The government was in denial mode throughout, despite claims to the contrary by the people who allegedly ran the scam. After much pressure, the response was to come up with a Virtual ID that can be used instead of Aadhaar number in some cases
mAadhaar App Torn Apart
The Virtual ID would be enabled by UIDAI’s mobile-based Aadhaar solution – the mAadhaar app. But this was another case of bad technology and cyber security.
The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123 ????♂️ pic.twitter.com/Ty7cPmOjAb
— Elliot Alderson (@fs0c131y) January 10, 2018
Besides the unpolished user interface, random and frequent crashes, what was scarier were the serious security shortcomings.
Independent security researcher, Baptiste Robert, who tweets as @fs0c131y and goes by the nickname Elliot Alderson (both based on TV’s Mr Robot) on Twitter, pointed out the very shallow security measures implemented in mAadhaar’s Android app which can be cracked open with relative easier to get access to critical biometric data and personal credentials of almost any person.
By force quitting the app when you deactivate this mechanism you don't need to enter the password. pic.twitter.com/HJ8PqyIXS1
— Elliot Alderson (@fs0c131y) January 16, 2018
Now let me put it very clearly. The UIDAI’s database is not adequately fortified to dispel hacking attacks. Neither is the mAadhaar app, which is riddled with basic vulnerabilities too. Robert went on to point out other flaws including serious issues with WordPress installations on Aadhaar-related domains.
In addition, he has made some serious allegations, which have yet to be refuted by UIDAI or any competent authority in India. This vague and weak security infrastructure around a critical government program has serious ramifications for all Indians.
The official #Aadhaar #android app is sending an SMS to authenticate the user. In general, to avoid abuses, you add a sending rate limit. The user has to wait 2 minutes before resend the SMS. @UIDAI did not implement this kind of limit in the app. What are the consequences?
— Elliot Alderson (@fs0c131y) January 22, 2018
— Elliot Alderson (@fs0c131y) January 14, 2018
— Elliot Alderson (@fs0c131y) January 22, 2018
And as if UIDAI’s hands were not already full, the regulatory authority added another means of identity verification to the Aadhaar repertoire of biometric security keys – facial recognition.
Now, I may not be the only one to think so, but using facial recognition sounds like the beginning of a draconian system, where IDs are constantly checked and verified by automated processes and AI-enabled cameras. This is the surveillance state that many have warned us about. It’s already happening in China, where minorities and their movements are being tracked with AI-powered cameras.
UIDAI added facial recognition as an extra measure to be of convenience for people who are unable to use their fingerprints or iris scans for authentication, but if it was so, why make it mandatory?
Rarely do former intel chiefs and I agree, but the head of India's RAW writes #Aadhaar is being abused by banks, telcos, and transport not to police entitlements, but as a proxy for identity–an improper gate to service. Such demands must be criminalized. https://t.co/rRSn42XLlQ
— Edward Snowden (@Snowden) January 21, 2018
So what is it good for?
These are just many of the serious questions surrounding Aadhaar, enough to send a chill down the spine of any citizen concerned about his privacy in India. Forget, Privacy, Aadhaar’s weak security implementation is an invitation for the world’s least sophisticated hackers to come and siphon away our financial, personal and demographic data.
Aadhaar began as an ambitious project for this very reason. The fears about privacy and security were brushed off by the government, and even now when some of the lies are bared open, it has not refrained from making false claims and promises about efficiency, benefits and security of the system. The situation is so bad that many are wondering whether scrapping it altogether might be the less expensive option.
From an economic standpoint as well as logical, getting rid of Aadhaar will be a problem. The immense amount of resources spent in taking Aadhaar from urban spaces to the most remote villages in the country will all go down the drain. Secondly, it won’t be easy to clear the vast cache of data related to this scheme – online data can very rarely be completely erased, especially after it’s been active for so many years.
As of now, it seems like the classic dilemma. And so it is that Indians are left wondering exactly what the fate of their Aadhaar lives is. A major case currently being heard in the Supreme Court could decide Aadhaar’s final fate, and the extent to which it can be used for authentication, availing basic services and for e-governance. Aadhaar has transformed from a being the flag bearer of the government’s digitization push to India’s biggest nightmare.