How Safe is Aadhaar System: Major Leaks, Cases of Security Breach amid Clarifications from UIDAI

Several petitions have been filed in the Supreme Court alleging the Aadhaar as a violation of an individual’s right to privacy.

Aadhaar Card (Image Used for Representational Purpose Only) (Photo Credit: PTI)

New Delhi, Mar 13: With the Narendra Modi government pursuing Aadhaar as the centrifugal point of governance, Opposition, along with a plethora civic activists have raised hue and cry over the alleged threat to privacy posed by the biometric identity card. Although the Supreme Court has extended the last date to link the unique identification number with various services indefinitely, the debate around its safety mechanism continues.

Time and again eyebrows have been raised and questions asked about the safety of the central database of UIDAI (Unique Identification Authority of India) - the government body that manages Aadhaar - and how breaching it is not a cumbersome job.

From hackers claiming the ease with which its front end application is breached to its backend database claimed by individuals as susceptible to leak information even to an elementary attack, the controversy has only grown.

While the UIDAI has categorically denied these charges for quite some-time now, the whole saga has got the old debate surrounding the validity of a centralized data system raging.

What is Aadhaar?

A unique 12 digit identification pin assigned to each and every individual in India that was initially aimed to do away with a long list of several other identity documents issued in India. Hence it was an attempt to create a super set of all documents.

The UPA government introduced the Aadhaar card system inspired by the American system of social security number issued to its citizens. However, there was no law passed by the parliament during the UPA regime that defined the boundaries of Aadhaar or its scope of use. With the change in government the fate of Aadhaar too changed.

What initially began as an exercise to curb the leakage of government’s subsidies grew into a frenzy with RBI stepping in and asking banks to be linked to Aadhaar.

This was followed by cellular networks, digitals banks, RTO’s, insurance companies and possibly every other institution that offered services asking for an Aadhaar linkage.

The latest we hear is the Election Commission of India asking voters link their Voter IDs to their Aadhaar pin.

These details are enough to make us realize that the Aadhaar has a one to many-relationship in India and any possible infringement to it will mean a large-scale impact on most services.

Cases of Aadhar Breach

A twitter user, Elliot Alderson also known as Baptiste Robert, who is presumed to be a French security researcher, in an attempt to bring the flaws of Aadhaar to light declared that he was able to retrieve data of about 20,000 individuals in a time frame of three hours or so. This according to the researcher was achieved by a manual search on the application which meant the UIDAI had kept these data public. He questioned the brains behind keeping the Aadhaar data in public domain.

The UIDAI responded by claiming that Aadhaar was meant to be a public data and that no breach to the central repository had been made. But with the claims of one Baptiste Robert, an android developer, these claims were put to question. He tweeted that he had carried out a cardinal SQL injection attack on the Telangana State Postal Service (TSPost) and the database responded with private information of several individuals like demographic, financial, social welfare benefits details which is not possible without a join on the Aadhar repository.

Baptiste Robert stated that he only meant to help the authorities to shore up their defenses against cyber-attacks.

Another incident that lay bare the security lapses surrounding Aadhaar was with the disclosure of cyber security enthusiast Abhinav Srivastava. He claimed to have accessed the main database of Aadhaar linked E-Hospital app through a mechanism of sending multiple authentication request.

This in turn helped him verify details on behalf of an individual without his consent and purportedly defeated the main purpose of e-verification which Aadhaar claims to provide.

What are the perils of Aadhaar system?

The most important flaw involving the Aadhaar is assertions that UIDAI uses outdated technologies and there is perceived lack of use of security patches.

There is also inconsistency with the modification of source code and lack of complete ownership by UIDAI over the source code. Coming to storage and we know the raw data is transferred to laptop or PC by officials and is a sitting duck for criminals. We know in today’s world encryption of base level mediums like laptop or PC are not full proof and to a person with nefarious motives, he can sell this data or put it up online to create havoc.

Another lacuna of UIDAI is that it is not clear on the audit checklist of its system. The growth of Aadhar into a huge collection of data it is today has made its administration a difficult task.

The checklist covers the collection of data at the source point to its subsequent flow into the UIDAI central servers.

UIDAI does have a standard operating procedure in place for all of its officials but is there an audit of this standard procedure.

If there is indeed an audit of the flow of data through the various variables likes PC, PID, ASA, KSA and to the final variable of UIDAI, is it full proof. Does it guarantee zero data loss or prevent theft of data through any of the stated variables?

Clarification by UIDAI

In response to the French hacker's claim of accessing Aadhaar data, the UIDAI on Monday said such reports should be dismissed. Here is the full statement issued by the nodal Aadhaar agency in a series of tweets:

UIDAI has dismissed the reports as irresponsible which appeared in a section of social and other media on security of Aadhaar system being questioned on account of a few Aadhaar cards reportedly put on the internet by some unscrupulous elements.

UIDAI has advised people not to get confused with such reports which are far from the truth and intended to spread misinformation on India's robust identity system - Aadhaar - unnecessarily.

Publication of Aadhaar cards by some people have absolutely no bearing on UIDAI and not the least on Aadhaar security. Aadhaar as an identity document by its very nature needs to be shared openly with others as and when required and asked for.

Aadhaar just like any other identity document, therefore, is never to be treated as a confidential document.

Although Aadhaar has to be shared with others, it being a personal information like mobile number, bank account number, PAN card, passport, family details, etc, should be ordinarily protected to ensure privacy of the person.

If anybody unauthorizedly publishes someone’s personal information such as Aadhaar card, passport, mobile number, bank account number, his photograph, he can be sued for civil damages by the person whose privacy right is infringed.

But in no way it threatens or impacts security of the system which has issued those respective IDs. For instance, publication of someone's bank a/c, PAN, or passport on the internet does not impact or threaten the security of banking, Income Tax or passport system.

People do often share their such personal information on internet to some or other service provider or vendor to get services. This doesn't impact whatsoever the security of any such ID system.

Aadhaar is the most trusted and widely held ID that one shows/presents whenever needed. People should freely use it to prove their identity.

By simply knowing someone’s Aadhaar, one cannot impersonate and harm him because Aadhaar alone is not sufficient to prove one’s identity but it requires biometrics to authenticate one’s identity.

It is reiterated that Aadhaar remains safe and secure and there has not been a single breach from its biometric database during that last eight years of its existence.

Way forward

Several petitions have been filed in the Supreme Court alleging the Aadhaar as a violation of an individual’s right to privacy. Well it is beyond doubt that Aadhaar has the potential to ease governance particularly e-governance in a country notorious for red tape and bureaucracy.

For starters, the government should come up with small data-marts to replace a large repository or a central system of data that can be effectively monitored and secured.

Imagine waking up to the news of your bank accounts, phone number, insurance details, address put up in the public domain, the feeling is quite appalling to say the least.

(The above story first appeared on LatestLY on Mar 13, 2018 05:20 PM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).

Share Now

Tags


Share Now