BY SRINIVAS KODALI ON 05/01/2018 •
The biometric identification agency and the government need to start listening to those who are pointing out critical flaws instead of issuing blanket denials and template answers.
The UIDAI’s selective and misleading denials to data breaches within the larger UID ecosystem are doing more harm than good. Credit: PTI
It is no surprise that the latest data and security breach surrounding the Aadhaar biometric programme has been selectively denied by the Unique Identification Authority of India (UIDAI), the government of India and the Bharatiya Janata Party.
All three have slammed news reports, calling it mis-reporting even though the process of filing a first information report (FIR) is underway and the portal where the alleged breach took place (portal.uidai.gov.in) has been shut down since the news started making waves.
Increasingly worn out defences were also mounted and trotted out – the UIDAI stated that Aadhaar biometric data is completely safe and cannot be accessed by any rogue individual. It stoically, and misleadingly, maintained that the Central Identities Database Repository (CIDR) was safe even though nobody (including The Tribune) claimed that biometrics were accessed or the CIDR was compromised.
The UIDAI also curiously engaged in a dangerous campaign of misinformation by claiming that the demographic data associated with Aadhaar numbers (name, gender, age phone numbers, addresses) is not sensitive information. Its implication is that it is wholly acceptable for this data to be in the public domain even though the Aadhaar Act of 2016 specifically states otherwise.
No #Aadhaar data breach; Aadhaar data including biometric information is fully safe and secure: @UIDAI, denying report by @thetribunechd, saying it is a case of misreporting 1/2 pic.twitter.com/2d4ORHqqMh
Claims of bypassing or duping the #Aadhaar enrollment system are totally unfounded: @UIDAI, denying report by @thetribunechd 2/2 pic.twitter.com/Rn3k15mDJJ
However, even on its claims of biometric data and the enrolment process being secure, the UIDAI falls short. It has filed two FIRs over attempts that were made to breach the biometric authentication process in Uttar Pradesh. The UP Police Special Investigation Task Force has arrested a gang believed to have built their own Aadhaar registration clients, bypassing both biometric and iris protections designed for the enrolment procedure.
Leaving this aside though, it has become clear that this is how the UIDAI acts when presented with evidence that its wider ecosystem is filled with holes and is leaking profusely. Every time a security incident is reported, the agency puts out blanket denials even before investigating what has transpired. In the latest breach, the filing of an FIR clearly indicates something has gone wrong and thus needs to be further investigated.
Since the formalisation of the UID programme through the 2016 Aadhaar Act, breaches in the wider ecosystem have piled up. Nearly a year after the Act was pushed through the Lok Sabha, the minister of state for information technology replied to a question in parliament, admitting that over 200 government websites had been publishing Aadhaar numbers and the list of these websites have been made available in a subsequent parliamentary question.
Clearly multiple breaches and security lapses have been reported to the UIDAI as acknowledged in parliamentary questions.
Screenshots of DSDV (basic licence), which allows third parties (both public and private) to access Aadhaar data (1/2)
What is frustrating about the UIDAI’s perpetually defensive position is that many researchers and concerned persons have been trying to report security issues with Aadhaar for a long time. Consider the specific issue reported by The Tribune – a search facility that allowed authorised personnel to enter the Aadhaar number of a person and pull up their personal data was deliberately misused.
Twitter user databaazi has consistently flagged concerns of how the UID ecosystem gives third parties access to Aadhaar details though internal tools; in this case DSDV (Direct Benefit Transfer Seeding Data Viewer).
DSDV, as mentioned in one of the UIDAI documents, gives access to Aadhaar demographic data from CIDR to government agencies and banks. Sound familiar?
A clipping of how the DSDV search facility works. Credit: UIDAI
Even after the raising of concerns and the reporting of breaches, the UIDAI has no set procedure for security researchers to report these issues through secure channels.
The government body has also selectively ignored security issues of how third parties are accessing and storing Aadhaar demographic data even though plenty attention is diverted to how the programme can help promote India’s digital economy. In the grander scheme of things – where future Indian governments will monetise and extract maximum value from the personal data of its citizens – privacy violations, identity theft and financial fraud are apparently a small price to pay.
Indeed, the most important story of Aadhaar over the last few years is that while its core (the Central Identities Database Repository) may be strong, its branches, roots and wider ecosystem are dangerously exposed and with open access to any private company by default.
This shows in the way the Centre frames its denials, in the way it selectively replies to questions related to Aadhaar in parliament.
For instance, when asked about leakage of Aadhaar data by private vendors – a problem that is currently threatening to snowball out of control – the minister of state for information and technology merely replied in parliament that Aadhaar data in the CIDR had not been breached.
To another question on action taken against government employees for leaking Aadhaar data to unauthorised persons, the minister again meekly replies that “no such incidents have been reported to the UIDAI” – he is clearly not willing to answer whether any employees or bureaucrats were penalised for publishing the personal data of millions of Indian citizens on 210 government websites.
If you look at others questions in the parliament where the mandatory nature of Aadhaar is being questioned, the government is also selectively answering them. To one question, the minister for social justice and empowerment baldly states that Aadhaar is not mandatory for beneficiaries. His answer clearly doesn’t reflect on ground realities and reflects the government’s blinkered approach to accepting and understanding the flaws with the biometric identification scheme.
By embodying the “see-no-evil, hear-no-evil, speak-no-evil” approach of the three wise monkeys, the authorities are doing more harm than good. The UIDAI and the government needs to change its stance and start listening to people who are pointing out critical flaws instead of issuing blanket denials and template answers.
Unless they do, it is only a matter of time before the Aadhaar ecosystem’s security flaws bring down the whole house, with devastating consequences for India’s citizens.
Srinivas Kodali is an interdisciplinary researcher working on issues of cities, data and internet. He volunteers with internet movements and communities.
