The latest controversy over Aadhaar details being sold for as little as Rs 500 has once again raised concerns about the safety of information with UIDAI.
ThePrint asks: Are the fears over the security of Aadhaar overblown?
If we fear for data security, we must fear more vulnerable platforms than Aadhaar
Associate editor, ThePrint
In a word, yes. But does it mean UIDAI and the government need not address the fears about Aadhaar in critics’ minds? No.
Concerns about privacy and security of the database remain high. Having said that, these fears may be overblown simply because a lot of our other data/information can be accessed far more easily than our Aadhaar data by authorities. The Aadhaar Act, in fact, does specify safeguards to minimise misuse of information.
What information does the Aadhaar database contain? The demographic information Aadhaar asks for, besides biometrics, are very basic — name, address, gender, and date of birth. The responsibility of ensuring the safety of biometrics rests with the UIDAI.
The information collected under Aadhaar can only be used for KYC purposes and not without the consent of the person concerned. The centralised database — the Central Identities Data Repository — contains all Aadhaar numbers issued along with corresponding demographic information and biometrics. It, however, does not have information on where individuals have linked Aadhaar. That information is stored only in the form of federalised/decentralised databases with the respective authorities overseeing the implementation of the service/scheme/benefit with which Aadhaar is linked.
As far as The Tribune’s investigative story is concerned, the UIDAI has pointed out that no biometric data was accessed. However, does this absolve the UIDAI of the responsibility of the leak of demographic data? Most certainly not. It is absolutely unacceptable for any individual’s data, whatever it might be, to be accessed without her/his consent, something which is perhaps routinely being done by various platforms given the proliferation of technology and how much of our information is available online.
This is why it was essential for the Aadhaar Act to be accompanied by a privacy law, which would also safeguard all our individual data and information available.
It does absolutely nothing for the credibility of the UIDAI’s assurances if any sort of data breach happens. But if we fear for the security of our data, we must fear the more vulnerable platforms and not pointedly target Aadhaar.
Soon, Aadhaar data breaches will become the new normal
Interdisciplinary researcher working on data, cities and internet
Aadhaar data breaches are not new, and will become the new normal as lack of clarity prevails on who can demand this voluntarily mandatory number card. If you wondered why Amazon is asking for your Aadhaar, the law does not restrict anyone from collecting Aadhaar with consent, but only restricts it from misusing it. The main question to ask is how, where and who is misusing this data, obtained either legally and illegally.
Aadhaar demographic information can be used without optics or biometrics, as UIDAI itself requests everyone to treat the Aadhaar card as a form of identity. This has been exploited by criminals in Hyderabad to create bank accounts with Aadhaar cards found online and cause a subsidy fraud of Rs 40 lakh for at least 300 individuals in November 2017.
In December 2017, Aadhaar was also misused by Airtel. While carrying out e-KYC for mobile connections, the telecom giant also created payment bank accounts for its customers without informing them. The action by Airtel aided by a design flaw in direct benefit transfers made around 200 crore of subsidy money accumulate in accounts which technically do not exist.
Apart from these subsidy frauds, social engineering attacks by con artists calling citizens posing as bank employees asking for Aadhaar linkage and OTPs have even caused troubles to Members of Parliament. If important people like MPs can get duped, normal people face a greater threat with increasingly available personal information.
It has been almost a year since the first Aadhaar data leak was reported to UIDAI, but it is yet to bring a formal-security reporting mechanism for third party security researchers. Concerns about Aadhaar security are genuine, and the UIDAI must address these concerns instead of filing FIRs against people who point them out.
Mind you, data security isn’t the worst thing about Aadhaar
Associate Professor (Economics), IIT-Delhi
A meme that captures the scale of the Aadhaar problem aptly reads: “BJP’s three monkeys: Demonetisation, GST and Aadhaar”.
The Aadhaar Act allows the sharing of demographic information with requesting entities for a price. Once that entity has your demographic information, it is not very clear what it can (or cannot) do with it. The Tribune’s investigation shows that such entities are selling that data for a price.
Why is this a problem? One is the nuisance value (recall the useless SMSes for property, weight loss, balding, etc). Two, demographic information is used for targeted advertising (say, for dubious insurance policies), which is known to find weak targets (see Cathy O’Neil’s Weapons of Math Destruction). Three, more importantly, it creates huge vulnerabilities to fraud. Phishing attacks are perpetrated with very little information. With every aspect of our life (health records, travel, bank, etc.) forcibly linked up to Aadhaar, it magnifies the vulnerabilities in the system.
News of Aadhaar-enabled fraud is already trickling in. An MP lost Rs 27,000. In Uttar Pradesh, fraudsters registered fake FIRs for SIMs, used the FIR to get fresh SIMs reissued, then used the BHIM app to make transactions.
These were perpetrated without using biometrics. Some believe that biometrics provide an extra layer of security. This is not true. If anything, they increase the vulnerability further. Cloning fingerprints is child’s play. Once cloned, you cannot change them like a password. If your fingerprints do not work, you can be locked out of your own life!
A majority of Indians, lacking in tech, digital and legal literacy, are especially susceptible to such fraud. Moreover, the Aadhaar Act does not allow you to file an FIR even if you are the aggrieved party!
And mind you, data security isn’t the worst thing about Aadhaar.
Compiled by Deeksha Bhardwaj
Read Global Pulse for a sampler of the big international stories, and why they matter.