Skip to main content

Aadhaar: Privacy and Security Implications for One-Sixth of Humanity

Aadhar programme logo for india. The biggest biometric database of India.


Introduction

Aadhaar, a populist brand name for a 12-digit Unique Identification Number issued by Unique Identification Authority of India (UIDAI), is the world's largest ID scheme. It is a biometrics-based Identification System which collects Iris scans, fingerprints of all ten fingers, and a photograph of the person. It also collects information such as name, gender, date of birth, the address of the individual, and optionally mobile and email address. This information is used to identify any individual uniquely.  This article will raise points on Aadhaar's security and privacy implications for 1/6th of world's population currently enrolled into its database.

Privacy Concern

scanning fingerprints and iris of eye is the sensitive data of aadhar program


There are many troublesome features, provisions, mandates and directives in Aadhar which make privacy of any citizen a myth. Furthermore, any non-compliance primarily results in either discrimination to non-holders or their criminalization (more details below, keep reading).

Aadhaar stores your most private data, your biometric signatures from Iris and all fingerprints, coupled with name, gender, date of birth, photograph and address, in a centralized database. This central repository itself is the biggest privacy concern. UIDAI defends this on the ground that many government agencies already have this on citizens. No, they do not. None of them have all of your biometric information. Aadhar is the first one in India with such level of biometric data collected from people.

In fact, UIDAI was legally incorporated only in March 2016 vide the Aadhaar Act (Targeted Delivery of financial and other subsidies, benefits and services) 2016. Before that, it only functioned as an "attached office of Planning Commission." Planning Commission has no legal mandate to collect any biometric data from Indian citizens, let alone, foreign residents. Moreover, it has no mandate for any identification scheme. By the time UIDAI started existing legally in 2016, it had already collected biometric data of ~600 million population. That too, without any oversight and being answerable to anyone.

Privacy of an individual is still an alien concept in India. Probably that is why Indian Privacy Laws are non-existent. Let's take an example of Goa Court ruling in 2013. The court asked UIDAI to hand over all data of all persons in Goa to CBI. Mind you, this is raw, unencrypted data, not an API to search through all citizen's data in Goa, but complete raw data! There you go, all your privacy assertions bit the dust.

"The Government" is a very vague, headless entity and very conveniently used to forever pass the buck around. Ideally, It consists of judiciary, legislative and executive, with the intention of appropriate checks-and-balances at all levels. However, practically, as just demonstrated in the last paragraph, it has all kinds of loopholes in every nook and corner to achieve the intentions of legislative. Let's take some examples in the case of Aadhaar:

UIDAI was established by an "executive order" in 2009. Not a legal, answerable entity till 2016

UIDAI was legally set up in 2016 vide Aadhaar Act 2016. Also, It was introduced as a Money Bill (why and how on earth?). The only plausible reason seems to be able to bypass Rajya Sabha as it has limited powers in Money Bills. (The Rajya Sabha may not amend money bills but can recommend amendments.)
Judiciary, again a part of Government has repeatedly (at least in 3 instances from Supreme Court itself) asserted in the past, that Aadhaar is "voluntary and not mandatory" and that "no person should suffer for not getting Aadhaar" as the government cannot deny a service to a resident if s/he does not possess Aadhaar. People are increasingly being forced to get Aadhaar, latest news being that Aadhaar would now be compulsory for filing income tax returns. So, if a person wants to diligently perform his/her duties as a responsible citizen by paying taxes, but doesn't want to have Aadhaar, now s/he cannot pay taxes anymore. It is a direct attack on the civil liberty. S/he is now a criminal in view of Government, and Income Tax Department can very well initiate actions against this person.

UIDAI claims Aadhaar has "has no linkage to any other systems such as PAN, Passport, Driver's License" but we now have news of Aadhaar being mandatory for filing Tax Returns. 
Alas, Under the Aadhaar Act 2016, the Unique Identification Authority of India can now file a First Information Report (FIR) against any citizen who questions its security.

Right to be Forgotten


While there is no "Right to be Forgotten" in India as in Europe, Aadhaar is fundamentally against this privacy provision. Once your data is in the database, there is no way you can get your data deleted from Aadhaar's database. To be fair, UIDAI does give an option to "lock" your biometric details, so that no 3rd party can use it for authenticating your Aadhaar number via UIDAI's authentication gateway. However, your data is still present in the database. Once saved in UIDAI's database, there is no way you can get your data removed. 

Mass Surveillance 

Extensive surveillance of government to keep the citizens under scrutiny.


UIDAI argues that Aadhaar just provides a "yes/no" answer* to an authentication request and hence can't be used for any meaningful monitoring. However, when connected to all kinds of services, Aadhaar starts becoming a viable tool for mass surveillance. Every aspect of your life such as your financial transactions, your travel tickets, your telephone calls (yeah, just yesterday DoT issued a notification to all telecom companies to compulsorily re-verify every user with their Aadhaar IDs), your residence, etc.  would now be connected by with one single entity and that is Aadhaar. It is not a technologically impossible task to use Aadhaar for mass surveillance. This kind of capability already exists with governments in some countries, as demonstrated by Snowden Leaks on NSA and recent WikiLeaks release on CIA. Yeah, it is technologically feasible to implement mass surveillance once you have Aadhaar mapped to every service of any kind which is used by the population.

While the current Government can be assumed to have good intentions in mind for Aadhaar, this can never be guaranteed by any future Government. As previously mentioned too, under Aadhaar Act 2016, UIDAI can file a FIR against any citizen who questions its security. This intimidating threat does not bode well for either Government or UIDAI. 

It is as simple as this: Never trust the Government**. So never believe that it will keep your data safe. After Aadhaar Act 2016, UIDAI can now also provide your details to authentication requester instead of just "yes/no" answer. UIDAI will not provide your "core biometric" details, in any case. Neither trust any private entity either.

Data Security Risk

aadhar is a threat to privacy and data security.


The first rule of Cyber Security researchers is: All systems have vulnerabilities.

Alternatively, all systems can be hacked. It is acknowledged by UIDAI itself which says "One can never say never in any security systems." 

Security of a system is only as strong as its weakest link. All of UIDAI's hardware (network infrastructure, biometric sensors, servers, and processing platforms) and software are procured from third party companies. 

Hardware can be backdoored. Recent Wikileaks on CIA has shown CIA exploiting vulnerabilities on Cisco hardware.

The software has their 0-day vulnerabilities. No one can guarantee their software to be free of any vulnerabilities. 

UIDAI routinely advertises "2048-bit encryption which will take billions of years to crack". Point is:
Encryption can be broken though it is very tough to do so. This is different from cracking it by brute-force. Although there is no publicly available information on 2048-bit RSA being broken yet, we can never be sure.
Encryption can be bypassed! There are many instances where you do not even need to decrypt/break anything. Instead, a coding bug will be happy to give you raw data when exploited correctly.

A compromised Enrolment Station node can bring down the integrity of the complete system. State-actors from some countries may (or already do) possess the capability to carry out elaborate attacks against UIDAI infrastructure. These measures cannot be discounted.

UIDAI's data may also be susceptible to insider attacks. We have no information on the access control protocol followed by them, which brings to my point that we need an Independent Auditor for UIDAI (more on this later).

Biggest security issue with Aadhaar is that it stores all the data as raw data in encrypted form. If they would have, instead, saved the data as a hash using a secure hashing algorithm, then much of the security concerns would have vanished. Need to authenticate anyone? Just match the hashes instead of checking the raw data. These steps are taken all over the world to verify anyone. Even if they would have stored the general data (name, photographs and personal details) in raw form, but the biometrics in hashed form, then also much of the security concerns would have vanished. However, unfortunately, they store the raw biometric data in their database after encrypting it. 

If the data is hacked and an adversary can decrypt it (via indirect attacks), then the game is over. The hacker would have access to personal biometric data of 1/6th of humanity which can be abused in a dangerous manner (especially when Aadhar gets connected to each and every service). It can be used as a cyberwarfare tool.

Storing hashed biometrics in encrypted form would have been a better bet. However, to be fair to UIDAI, a big issue with using hashes for biometrics is you need to normalize your raw biometric data before hashing, else even a slight deviation will result in an entirely different hash value. 

Independent Auditing and Overseeing Authority

independent auditing and overseeing authoirty to stop misuse of power.


We need to have an Independent Auditing and Overseeing Authority with necessary competence in this kind of verification (CAG is insufficient). UIDAI's access control protocol needs to be audited by someone on the lines of Nuclear Command Authority of India, with stringent measures on any lapse. 

UIDAI's hardware, software and overall architecture need to be regularly audited by a team of security researchers, and reports made public to Indian citizens after fixing any issues.

Finally, biometrics should not be stored in raw encrypted form. Since Aadhaar advertises itself as just an authentication provider, it has no business storing raw biometric data. Hashed biometric data would be sufficient for this task.

Finally, UIDAI should be made answerable to the general population and the Auditing and Overseeing Authority, which it currently isn't. It instead threatens to file FIR on any citizen trying to question its security.

Rohit Singh is a technology enthusiast from New Delhi, who loves to spend his time tinkering with custom electronics hardware. He keeps an eye on events in cyber security, with a special interest in hardware security. He is a supporter of strong Data Protection and Privacy Laws in India. He can be reached at myrahmalo@gmail.com

Popular posts from this blog

What's on your idiotbox

Sex is used to sell anything and everything but buying and selling of sex is illegal. There is so much of sex on TV it is okay to feel uncanny. After doing a write up on Whats on your mind to uncover the secrets of the advertisement industry. We are here to look at some of the most hideous TV shows that pull off the dirt without hitting it to the naked eye. To the best understanding of the producers it is the easiest and fastest way of selling the commodity to the public without investing too much into creative skills. All you need to do is brush up your camouflaging skills to induce the minds of the viewers with aphrodisiac content and the results will follow. The banality is not the only problem with Indian television there's much more darker to TV that we see and justify to ourselves without realising how it casts a shadow over the society by subjugating us to the wrongdoings in the society. Here we see the list of shows that have made their way to the top using these skills.

C…

The eternal death wish

It was an unusual place. The kind of places that inherently mulls one into decrepitude. The only believable reason these places seem to exist are for the sake of history or folklores that keeps the town alive with a buzz that keeps one from enervation. While it may attract a globetrotter's attention, these kind of places are mostly left vacant without plausible signs of physical presence.



Wild grass emerging from the solid structures on different areas of the surface. The environment blended eloquently with the giant rustic gate at the entrance of the town. Instinctively, it appeared that the anarchic impressions on the gate had been severed through times of wars and invasions which had cast a spell of gloom that permeated with the burgeoning enigma of the place.

Moving into the place, from all that my senses could gather, I noticed there was barely any person who wasn't dressed in white. Men were occupied in their own activities, there were hardly any women outside except a …

How to effectively develop your sixth sense with 5 lucid steps

We have often found ourselves lurking around the term sixth sense. A psychic ability or a supernatural phenomenon that has been conceptualised well in films and television. Although, there are still some misconceptions around our sixth sense, it's only fair since our sixth sense works as a latent form of intelligence which generally lies quiescent because of our inability to use our potential without realising the fundamental principles of cause and effects, it makes an interesting prospect for a seeker to learn and practice to achieve an enhanced perception of nature.


Sixth sense is a vague term for the third eye or the ajna chakra as conceived in yogic science through Adiyogi. There are elaborate instances of use of third eye of lord Shiva in Shiv Puranas that signify the wisdom, righteousness, non-duality and the powers of the third eye. It is highly advised for serious practitioners to undertake these steps under a realised guru since it can have sporadic effects on the behav…