Skip to main content

Aadhaar: Privacy and Security Implications for One-Sixth of Humanity

Aadhar programme logo for india. The biggest biometric database of India.


Introduction

Aadhaar, a populist brand name for a 12-digit Unique Identification Number issued by Unique Identification Authority of India (UIDAI), is the world's largest ID scheme. It is a biometrics-based Identification System which collects Iris scans, fingerprints of all ten fingers, and a photograph of the person. It also collects information such as name, gender, date of birth, the address of the individual, and optionally mobile and email address. This information is used to identify any individual uniquely.  This article will raise points on Aadhaar's security and privacy implications for 1/6th of world's population currently enrolled into its database.

Privacy Concern

scanning fingerprints and iris of eye is the sensitive data of aadhar program


There are many troublesome features, provisions, mandates and directives in Aadhar which make privacy of any citizen a myth. Furthermore, any non-compliance primarily results in either discrimination to non-holders or their criminalization (more details below, keep reading).

Aadhaar stores your most private data, your biometric signatures from Iris and all fingerprints, coupled with name, gender, date of birth, photograph and address, in a centralized database. This central repository itself is the biggest privacy concern. UIDAI defends this on the ground that many government agencies already have this on citizens. No, they do not. None of them have all of your biometric information. Aadhar is the first one in India with such level of biometric data collected from people.

In fact, UIDAI was legally incorporated only in March 2016 vide the Aadhaar Act (Targeted Delivery of financial and other subsidies, benefits and services) 2016. Before that, it only functioned as an "attached office of Planning Commission." Planning Commission has no legal mandate to collect any biometric data from Indian citizens, let alone, foreign residents. Moreover, it has no mandate for any identification scheme. By the time UIDAI started existing legally in 2016, it had already collected biometric data of ~600 million population. That too, without any oversight and being answerable to anyone.

Privacy of an individual is still an alien concept in India. Probably that is why Indian Privacy Laws are non-existent. Let's take an example of Goa Court ruling in 2013. The court asked UIDAI to hand over all data of all persons in Goa to CBI. Mind you, this is raw, unencrypted data, not an API to search through all citizen's data in Goa, but complete raw data! There you go, all your privacy assertions bit the dust.

"The Government" is a very vague, headless entity and very conveniently used to forever pass the buck around. Ideally, It consists of judiciary, legislative and executive, with the intention of appropriate checks-and-balances at all levels. However, practically, as just demonstrated in the last paragraph, it has all kinds of loopholes in every nook and corner to achieve the intentions of legislative. Let's take some examples in the case of Aadhaar:

UIDAI was established by an "executive order" in 2009. Not a legal, answerable entity till 2016

UIDAI was legally set up in 2016 vide Aadhaar Act 2016. Also, It was introduced as a Money Bill (why and how on earth?). The only plausible reason seems to be able to bypass Rajya Sabha as it has limited powers in Money Bills. (The Rajya Sabha may not amend money bills but can recommend amendments.)
Judiciary, again a part of Government has repeatedly (at least in 3 instances from Supreme Court itself) asserted in the past, that Aadhaar is "voluntary and not mandatory" and that "no person should suffer for not getting Aadhaar" as the government cannot deny a service to a resident if s/he does not possess Aadhaar. People are increasingly being forced to get Aadhaar, latest news being that Aadhaar would now be compulsory for filing income tax returns. So, if a person wants to diligently perform his/her duties as a responsible citizen by paying taxes, but doesn't want to have Aadhaar, now s/he cannot pay taxes anymore. It is a direct attack on the civil liberty. S/he is now a criminal in view of Government, and Income Tax Department can very well initiate actions against this person.

UIDAI claims Aadhaar has "has no linkage to any other systems such as PAN, Passport, Driver's License" but we now have news of Aadhaar being mandatory for filing Tax Returns. 
Alas, Under the Aadhaar Act 2016, the Unique Identification Authority of India can now file a First Information Report (FIR) against any citizen who questions its security.

Right to be Forgotten


While there is no "Right to be Forgotten" in India as in Europe, Aadhaar is fundamentally against this privacy provision. Once your data is in the database, there is no way you can get your data deleted from Aadhaar's database. To be fair, UIDAI does give an option to "lock" your biometric details, so that no 3rd party can use it for authenticating your Aadhaar number via UIDAI's authentication gateway. However, your data is still present in the database. Once saved in UIDAI's database, there is no way you can get your data removed. 

Mass Surveillance 

Extensive surveillance of government to keep the citizens under scrutiny.


UIDAI argues that Aadhaar just provides a "yes/no" answer* to an authentication request and hence can't be used for any meaningful monitoring. However, when connected to all kinds of services, Aadhaar starts becoming a viable tool for mass surveillance. Every aspect of your life such as your financial transactions, your travel tickets, your telephone calls (yeah, just yesterday DoT issued a notification to all telecom companies to compulsorily re-verify every user with their Aadhaar IDs), your residence, etc.  would now be connected by with one single entity and that is Aadhaar. It is not a technologically impossible task to use Aadhaar for mass surveillance. This kind of capability already exists with governments in some countries, as demonstrated by Snowden Leaks on NSA and recent WikiLeaks release on CIA. Yeah, it is technologically feasible to implement mass surveillance once you have Aadhaar mapped to every service of any kind which is used by the population.

While the current Government can be assumed to have good intentions in mind for Aadhaar, this can never be guaranteed by any future Government. As previously mentioned too, under Aadhaar Act 2016, UIDAI can file a FIR against any citizen who questions its security. This intimidating threat does not bode well for either Government or UIDAI. 

It is as simple as this: Never trust the Government**. So never believe that it will keep your data safe. After Aadhaar Act 2016, UIDAI can now also provide your details to authentication requester instead of just "yes/no" answer. UIDAI will not provide your "core biometric" details, in any case. Neither trust any private entity either.

Data Security Risk

aadhar is a threat to privacy and data security.


The first rule of Cyber Security researchers is: All systems have vulnerabilities.

Alternatively, all systems can be hacked. It is acknowledged by UIDAI itself which says "One can never say never in any security systems." 

Security of a system is only as strong as its weakest link. All of UIDAI's hardware (network infrastructure, biometric sensors, servers, and processing platforms) and software are procured from third party companies. 

Hardware can be backdoored. Recent Wikileaks on CIA has shown CIA exploiting vulnerabilities on Cisco hardware.

The software has their 0-day vulnerabilities. No one can guarantee their software to be free of any vulnerabilities. 

UIDAI routinely advertises "2048-bit encryption which will take billions of years to crack". Point is:
Encryption can be broken though it is very tough to do so. This is different from cracking it by brute-force. Although there is no publicly available information on 2048-bit RSA being broken yet, we can never be sure.
Encryption can be bypassed! There are many instances where you do not even need to decrypt/break anything. Instead, a coding bug will be happy to give you raw data when exploited correctly.

A compromised Enrolment Station node can bring down the integrity of the complete system. State-actors from some countries may (or already do) possess the capability to carry out elaborate attacks against UIDAI infrastructure. These measures cannot be discounted.

UIDAI's data may also be susceptible to insider attacks. We have no information on the access control protocol followed by them, which brings to my point that we need an Independent Auditor for UIDAI (more on this later).

Biggest security issue with Aadhaar is that it stores all the data as raw data in encrypted form. If they would have, instead, saved the data as a hash using a secure hashing algorithm, then much of the security concerns would have vanished. Need to authenticate anyone? Just match the hashes instead of checking the raw data. These steps are taken all over the world to verify anyone. Even if they would have stored the general data (name, photographs and personal details) in raw form, but the biometrics in hashed form, then also much of the security concerns would have vanished. However, unfortunately, they store the raw biometric data in their database after encrypting it. 

If the data is hacked and an adversary can decrypt it (via indirect attacks), then the game is over. The hacker would have access to personal biometric data of 1/6th of humanity which can be abused in a dangerous manner (especially when Aadhar gets connected to each and every service). It can be used as a cyberwarfare tool.

Storing hashed biometrics in encrypted form would have been a better bet. However, to be fair to UIDAI, a big issue with using hashes for biometrics is you need to normalize your raw biometric data before hashing, else even a slight deviation will result in an entirely different hash value. 

Independent Auditing and Overseeing Authority

independent auditing and overseeing authoirty to stop misuse of power.


We need to have an Independent Auditing and Overseeing Authority with necessary competence in this kind of verification (CAG is insufficient). UIDAI's access control protocol needs to be audited by someone on the lines of Nuclear Command Authority of India, with stringent measures on any lapse. 

UIDAI's hardware, software and overall architecture need to be regularly audited by a team of security researchers, and reports made public to Indian citizens after fixing any issues.

Finally, biometrics should not be stored in raw encrypted form. Since Aadhaar advertises itself as just an authentication provider, it has no business storing raw biometric data. Hashed biometric data would be sufficient for this task.

Finally, UIDAI should be made answerable to the general population and the Auditing and Overseeing Authority, which it currently isn't. It instead threatens to file FIR on any citizen trying to question its security.

Rohit Singh is a technology enthusiast from New Delhi, who loves to spend his time tinkering with custom electronics hardware. He keeps an eye on events in cyber security, with a special interest in hardware security. He is a supporter of strong Data Protection and Privacy Laws in India. He can be reached at myrahmalo@gmail.com

Popular posts from this blog

PM Narendra Modi and the rise of India in the new world order

Well first of all, If you are reading this then I would like to present you with a good news. In fact, I’ll hit you up with two if it doesn’t take you to cheer up. If you are not smiling already then please don’t hold back because you are witness of History. This is going down in history books. India got independence in 1947. It was a moment of great pride for the nation that was attributed as “Sonay ki chidiya” (the golden bird) to come out from the oppression of millennia. Unfortunately, the sad state of affairs continued when Indian national congress led by Pandit Jawaharlal Nehru reigned in. It was the same twisted notions of white people carried forward by Netas and Babus. India never really got independence. It was just a shift of top brass from British raj to Nehru family Raj.
.

Cut to 2014. Coming to power will full majority. NDA led government of Narendra Modi promised Acche Din. Taking down on the impeccable record of 60years of Nehru family Raj in general elections. Modi S…

What's on your idiotbox

Sex is used to sell anything and everything but buying and selling of sex is illegal. There is so much of sex on TV it is okay to feel uncanny. After doing a write up on Whats on your mind to uncover the secrets of the advertisement industry. We are here to look at some of the most hideous TV shows that pull off the dirt without hitting it to the naked eye. To the best understanding of the producers it is the easiest and fastest way of selling the commodity to the public without investing too much into creative skills. All you need to do is brush up your camouflaging skills to induce the minds of the viewers with aphrodisiac content and the results will follow. The banality is not the only problem with Indian television there's much more darker to TV that we see and justify to ourselves without realising how it casts a shadow over the society by subjugating us to the wrongdoings in the society. Here we see the list of shows that have made their way to the top using these skills.

C…

To the woman I condone

What would the world be like without womanhood. I can't simmer down in that stream of thought. This is for the woman who have lived and loved in pain. The one who asks for nothing but always pours out love and strength in unconditional amount.

While most of the people are looking to be saved. There's always someone who is willing to take a leap of faith and cross the larger distance. It is the virtue of modesty that drives them the most amazing feats. However, they are more likely to be caught in the whimsical world of power and domination. The world takes spins and turns but woman hold the majestic grace of keeping the world still at her bay. Something that the will of masculine can never achieve. It is that charm that binds us to the beautiful existence of womanhood.

Recognise the one who is there for you without even letting you notice it. You will fall gently in her grace. Reach out to the one. She cries alone at night too often. The breaking point of vulnerability weighs…