Aadhaar's the largest biometric database globally but it is leaky by design

Biometric data being collected for Aadhaar registration. Photo: Reuters

Over the last few months, the Indian twittersphere has been awash with citizens concerned about government websites leaking millions of individual digital ID numbers.

On May 1, the Centre for Internet and Society, a multi-disciplinary think tank in Bangalore, released a report indicating that faulty information security practices have exposed as many as 135 million ID numbers, leaked from four government databases. The data leaks originated in the process of implementing online dashboards that were likely meant for general transparency and easy administration by the government agencies.

Developed by the Union government of India in 2009, the plan called for the creation a Unique Identification Authority of India (UIDAI) that would issue Unique Identity numbers (UIDs) to all residents of India. Under this scheme, now known as Aadhaar, the UID number ties together several pieces of a person's demographic and biometric information, including their photograph, ten fingerprints and an image of their iris. This information is all stored in a centralized database.

The scheme has so far enrolled 1.13 billion Indians and residents of India, making it the largest biometric database in the world.

This has become a point of pride for government agencies involved in the program. Information Technology Minister Ravishankar Prasad (@rsprasad) tweeted:

 

113 crore people in India have #Aadhaar . India has the world's largest digital identity system. #DigitalIndia pic.twitter.com/5pwI5yuBMx

— Ravi Shankar Prasad (@rsprasad) April 24, 2017

Expanding programmes

Aadhaar was built to be used as an identity authentication mechanism that could have multiple services being built on top of it. The scheme was run under an executive order from its inception in 2009 until the Aadhaar Act was passed in 2016. The strategies employed by its supporters generated substantial controversy, and it since has been challenged in the Supreme Court on budgetary grounds. But thus far, it remains in place.

The UIDAI has maintained that the scheme is voluntary. Yet the central government has pushed state governments to include UID for a wide range of essential government services meant to be available to the public.

Independent news portal Scroll regularly covers issues related to UID’s linkages with various welfare programs through its Identity Project. In recent years, Scroll has identified multiple examples of public services being denied to individuals who did not have a UID.

In Delhi in 2015, food rations were denied to those without UID numbers. In April 2016 in the Ajmer district of Rajasthan, UID-enabled food subsidies repeatedly recorded authentication failures.

Six months after Aadhaar was introduced in Rajasthan, state officials report that 10-15% of beneficiaries who normally received food grains from the government (under the National Food Security Act) have been denied some or all of their rations because the system could not authenticate their UIDs. A local farm laborer told Scroll that his rations had been drastically reduced since the arrival of Aadhaar. “In some cases, when we put our fingers, the machine reads out 5 kg, 10 kg, or 15 kg as our entitlement. But we are entitled to 35 kg as per the government norms.”

Advocates are quick to note that there is no adequate avenue to remedy in these situations, leaving citizens with little recourse or ability to seek that these errors be corrected.

In spite of multiple court orders making UID voluntary and limited to selected schemes, the government continues to expand its scope.

Delicate infrastructure and its misuse

According to economist Jean Drèze, the new authentication system requires a lot of fragile technologies to work at the same time, such as a point of sale machine, internet connectivity, biometrics, remote servers and mobile networks. He also maintains that the primary cause of corruption in disbursement of food subsidies is related to the quantity of rations distributed or quantity fraud, which UID doesn't address.

Another economist who has worked extensively on these issues, Reetika Khera points out that the exclusion of large number of people from welfare schemes has not been because of lack of an identity, but rather due to “measly budgets and exclusion errors.

Contention with the court

The Supreme Court issued two orders in September 2013 and March 2014 which stated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled.” On August 11, 2015, the court issued yet another order which limited the use of UID to food, kerosene and cooking gas subsidies. On October 15, it further expanded it to four more schemes: the National Rural Employment Guarantee Scheme, Pradhan Mantri Jan Dhan Yojana (a scheme for financial inclusion), and policies related to pension and provident funds, after the government argued that it would be difficult to roll back UID now that it is the most used national identity system and is linked to service delivery in several major welfare schemes.

‘Leaky’ by design

Following the repeated arguments by the state that UID makes it possible to weed out ‘ghost beneficiaries’ and ‘de-duplicate’ multiple IDs, revelations of fake ‘UID cards’ began to circulate. These UID cards were reportedly issued under the names of pets, historical figures, one alleged spy and even gods.

 

@Memeghnad Also, it's as if there are no fake Aadhaar numbers. They bloody gave an Aadhaar to a cat, dog and Jhansi Ki Raani!! https://t.co/9vWXXBtLSX pic.twitter.com/dkaZDxDdeN

— Mayank Jain (@Mayank1029) April 21, 2017

More recently, the Indian twittersphere has been vocal in pointing to government websites leaking sensitive information from the UID database. In February, security researcher Srinivas Kodali exposed a parallel database containing UID numbers and other details of 5-600,000 children.

Yesterday I was informed about a website which was publishing #Aadhaar numbers of minors. We informed the authorities and brought it down. pic.twitter.com/9k2TK39x7n

— Srinivas Kodali (@iotakodali) February 17, 2017

In another case, UID numbers of scholarship-holders sat on a state government website for over a year.

Kerala e-grantz scholarships website was leaking aadhaar & a/c data like this for more than one year. https://t.co/DdpYI72NMC pic.twitter.com/tObbE1p4uE

— Anivar Aravind (@anivar) April 20, 2017

On March 22, 2017, tech worker @St_Hill exposed the severity of the problem by showing spreadsheets of personal data that appear with just a single Google search.

 

So I wrote a few words about Aadhaar. Will be happy to be proven wrong if you find something incorrect https://t.co/CHKBAR0gP7

— St_Hill (@St_Hill) March 22, 2017

This was immediately taken down. But new ones continue to appear with other simple Google searches.

Under the hashtag #AadhaarLeaks, Twitter users have reported numerous such cases on various government websites. The leaks gained popular attention on social media when former Indian men’s cricket team captain MS Dhoni’s UID appeared in a tweet sent by a UID enrollment operator.

The government response

The UIDAI responded to the uproar with a campaign entitled #AadhaarStars, in which parents of young children were encouraged to post 30-second videos of what UID meant to them.

 

A chance to make your kids #AadhaarStars. Visit https://t.co/ePIEHGHovs for more information. pic.twitter.com/vxEvE9nXtA

— Aadhaar (@UIDAI) April 10, 2017

This was rejected by angry twitterati through the hashtag #AadhaarFail which now offers a compendium of tweets about UID-based authentication failures.

In the last couple of months, after the privacy and security-related concerns became louder, the UIDAI has shut down enrollment operators, websites and payment applications for misuse of biometrics data. The central government has even warned state departments against leaking UID data on their portals.

As the uncertainty looms, privacy researcher Amber Sinha and aforementioned security researcher Srinivas Kodali estimated the size of #AadhaarLeaks.

 

Our report on the scale of #aadhaarleaks 130 million #Aadhaar data was public. 100 million were linked to bank A/Chttps://t.co/dT7L7OyBeG

— Srinivas Kodali (@iotakodali) May 1, 2017

@Memeghnad @iotakodali Important to understand these are not so much as leaks as proactive publication of #Aadhaar Numbers & other data. #leakagebydesign pic.twitter.com/amNfqJAuxL

— Amber Sinha (@ambersinha07) May 1, 2017

 

It remains to be seen how the government will react to this.

on May 2, 2017

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel