Saturday, March 25, 2017

Aadhaar: Privacy and Security Implications for One-Sixth of Humanity

Aadhar programme logo for india. The biggest biometric database of India.


Aadhaar, a populist brand name for a 12-digit Unique Identification Number issued by Unique Identification Authority of India (UIDAI), is the world's largest ID scheme. It is a biometrics-based Identification System which collects Iris scans, fingerprints of all ten fingers, and a photograph of the person. It also collects information such as name, gender, date of birth, the address of the individual, and optionally mobile and email address. This information is used to identify any individual uniquely.  This article will raise points on Aadhaar's security and privacy implications for 1/6th of world's population currently enrolled into its database.

Privacy Concern

scanning fingerprints and iris of eye is the sensitive data of aadhar program

There are many troublesome features, provisions, mandates and directives in Aadhar which make privacy of any citizen a myth. Furthermore, any non-compliance primarily results in either discrimination to non-holders or their criminalization (more details below, keep reading).

Aadhaar stores your most private data, your biometric signatures from Iris and all fingerprints, coupled with name, gender, date of birth, photograph and address, in a centralized database. This central repository itself is the biggest privacy concern. UIDAI defends this on the ground that many government agencies already have this on citizens. No, they do not. None of them have all of your biometric information. Aadhar is the first one in India with such level of biometric data collected from people.

In fact, UIDAI was legally incorporated only in March 2016 vide the Aadhaar Act (Targeted Delivery of financial and other subsidies, benefits and services) 2016. Before that, it only functioned as an "attached office of Planning Commission." Planning Commission has no legal mandate to collect any biometric data from Indian citizens, let alone, foreign residents. Moreover, it has no mandate for any identification scheme. By the time UIDAI started existing legally in 2016, it had already collected biometric data of ~600 million population. That too, without any oversight and being answerable to anyone.

Privacy of an individual is still an alien concept in India. Probably that is why Indian Privacy Laws are non-existent. Let's take an example of Goa Court ruling in 2013. The court asked UIDAI to hand over all data of all persons in Goa to CBI. Mind you, this is raw, unencrypted data, not an API to search through all citizen's data in Goa, but complete raw data! There you go, all your privacy assertions bit the dust.

"The Government" is a very vague, headless entity and very conveniently used to forever pass the buck around. Ideally, It consists of judiciary, legislative and executive, with the intention of appropriate checks-and-balances at all levels. However, practically, as just demonstrated in the last paragraph, it has all kinds of loopholes in every nook and corner to achieve the intentions of legislative. Let's take some examples in the case of Aadhaar:

UIDAI was established by an "executive order" in 2009. Not a legal, answerable entity till 2016

UIDAI was legally set up in 2016 vide Aadhaar Act 2016. Also, It was introduced as a Money Bill (why and how on earth?). The only plausible reason seems to be able to bypass Rajya Sabha as it has limited powers in Money Bills. (The Rajya Sabha may not amend money bills but can recommend amendments.)
Judiciary, again a part of Government has repeatedly (at least in 3 instances from Supreme Court itself) asserted in the past, that Aadhaar is "voluntary and not mandatory" and that "no person should suffer for not getting Aadhaar" as the government cannot deny a service to a resident if s/he does not possess Aadhaar. People are increasingly being forced to get Aadhaar, latest news being that Aadhaar would now be compulsory for filing income tax returns. So, if a person wants to diligently perform his/her duties as a responsible citizen by paying taxes, but doesn't want to have Aadhaar, now s/he cannot pay taxes anymore. It is a direct attack on the civil liberty. S/he is now a criminal in view of Government, and Income Tax Department can very well initiate actions against this person.

UIDAI claims Aadhaar has "has no linkage to any other systems such as PAN, Passport, Driver's License" but we now have news of Aadhaar being mandatory for filing Tax Returns. 
Alas, Under the Aadhaar Act 2016, the Unique Identification Authority of India can now file a First Information Report (FIR) against any citizen who questions its security.

Right to be Forgotten

While there is no "Right to be Forgotten" in India as in Europe, Aadhaar is fundamentally against this privacy provision. Once your data is in the database, there is no way you can get your data deleted from Aadhaar's database. To be fair, UIDAI does give an option to "lock" your biometric details, so that no 3rd party can use it for authenticating your Aadhaar number via UIDAI's authentication gateway. However, your data is still present in the database. Once saved in UIDAI's database, there is no way you can get your data removed. 

Mass Surveillance 

Extensive surveillance of government to keep the citizens under scrutiny.

UIDAI argues that Aadhaar just provides a "yes/no" answer* to an authentication request and hence can't be used for any meaningful monitoring. However, when connected to all kinds of services, Aadhaar starts becoming a viable tool for mass surveillance. Every aspect of your life such as your financial transactions, your travel tickets, your telephone calls (yeah, just yesterday DoT issued a notification to all telecom companies to compulsorily re-verify every user with their Aadhaar IDs), your residence, etc.  would now be connected by with one single entity and that is Aadhaar. It is not a technologically impossible task to use Aadhaar for mass surveillance. This kind of capability already exists with governments in some countries, as demonstrated by Snowden Leaks on NSA and recent WikiLeaks release on CIA. Yeah, it is technologically feasible to implement mass surveillance once you have Aadhaar mapped to every service of any kind which is used by the population.

While the current Government can be assumed to have good intentions in mind for Aadhaar, this can never be guaranteed by any future Government. As previously mentioned too, under Aadhaar Act 2016, UIDAI can file a FIR against any citizen who questions its security. This intimidating threat does not bode well for either Government or UIDAI. 

It is as simple as this: Never trust the Government**. So never believe that it will keep your data safe. After Aadhaar Act 2016, UIDAI can now also provide your details to authentication requester instead of just "yes/no" answer. UIDAI will not provide your "core biometric" details, in any case. Neither trust any private entity either.

Data Security Risk

aadhar is a threat to privacy and data security.

The first rule of Cyber Security researchers is: All systems have vulnerabilities.

Alternatively, all systems can be hacked. It is acknowledged by UIDAI itself which says "One can never say never in any security systems." 

Security of a system is only as strong as its weakest link. All of UIDAI's hardware (network infrastructure, biometric sensors, servers, and processing platforms) and software are procured from third party companies. 

Hardware can be backdoored. Recent Wikileaks on CIA has shown CIA exploiting vulnerabilities on Cisco hardware.

The software has their 0-day vulnerabilities. No one can guarantee their software to be free of any vulnerabilities. 

UIDAI routinely advertises "2048-bit encryption which will take billions of years to crack". Point is:
Encryption can be broken though it is very tough to do so. This is different from cracking it by brute-force. Although there is no publicly available information on 2048-bit RSA being broken yet, we can never be sure.
Encryption can be bypassed! There are many instances where you do not even need to decrypt/break anything. Instead, a coding bug will be happy to give you raw data when exploited correctly.

A compromised Enrolment Station node can bring down the integrity of the complete system. State-actors from some countries may (or already do) possess the capability to carry out elaborate attacks against UIDAI infrastructure. These measures cannot be discounted.

UIDAI's data may also be susceptible to insider attacks. We have no information on the access control protocol followed by them, which brings to my point that we need an Independent Auditor for UIDAI (more on this later).

Biggest security issue with Aadhaar is that it stores all the data as raw data in encrypted form. If they would have, instead, saved the data as a hash using a secure hashing algorithm, then much of the security concerns would have vanished. Need to authenticate anyone? Just match the hashes instead of checking the raw data. These steps are taken all over the world to verify anyone. Even if they would have stored the general data (name, photographs and personal details) in raw form, but the biometrics in hashed form, then also much of the security concerns would have vanished. However, unfortunately, they store the raw biometric data in their database after encrypting it. 

If the data is hacked and an adversary can decrypt it (via indirect attacks), then the game is over. The hacker would have access to personal biometric data of 1/6th of humanity which can be abused in a dangerous manner (especially when Aadhar gets connected to each and every service). It can be used as a cyberwarfare tool.

Storing hashed biometrics in encrypted form would have been a better bet. However, to be fair to UIDAI, a big issue with using hashes for biometrics is you need to normalize your raw biometric data before hashing, else even a slight deviation will result in an entirely different hash value. 

Independent Auditing and Overseeing Authority

independent auditing and overseeing authoirty to stop misuse of power.

We need to have an Independent Auditing and Overseeing Authority with necessary competence in this kind of verification (CAG is insufficient). UIDAI's access control protocol needs to be audited by someone on the lines of Nuclear Command Authority of India, with stringent measures on any lapse. 

UIDAI's hardware, software and overall architecture need to be regularly audited by a team of security researchers, and reports made public to Indian citizens after fixing any issues.

Finally, biometrics should not be stored in raw encrypted form. Since Aadhaar advertises itself as just an authentication provider, it has no business storing raw biometric data. Hashed biometric data would be sufficient for this task.

Finally, UIDAI should be made answerable to the general population and the Auditing and Overseeing Authority, which it currently isn't. It instead threatens to file FIR on any citizen trying to question its security.

Rohit Singh is a technology enthusiast from New Delhi, who loves to spend his time tinkering with custom electronics hardware. He keeps an eye on events in cyber security, with a special interest in hardware security. He is a supporter of strong Data Protection and Privacy Laws in India. He can be reached at