Aadhar card is a part of the world’s largest biometrics-based identity programme. The meek and humble 12-digit number during the UPA government was made to stop fraud and pilferage from India’s social welfare programmes. Move to 2017! The Modi government is gradually making it mandatory for every citizen to use our Aadhar cards from buying railway tickets, filing tax returns to marriage certificates, entrance exams mobile phone cards to banking, to apply for a PAN card to open a bank account, apply for a passport or even a driving license. So much so that the Supreme Court ON March 28 had to intervene and sounded a cautionary note, saying that Aadhar cannot stand in the way of citizens benefiting from social welfare scheme.
But it has many flaws which can lead to identity theft. The recent leaked personal details of former Indian cricket captain, Mahendra Singh Dhoni by a sanctioned Aadhaar enrolment agency exposes a deeper flaw in the identification project’s data collection and storage systems, with experts saying no citizens’ private information is safe.
Reports of the misuse of Aadhaar have brought back concerns about the privacy and security of the project. In February, six employees of telecom service provider Reliance Jio were arrested for fraudulent using fingerprints to activate and sell SIM cards. There were also reports that month about Axis Bank and other entities storing and using biometric data without authorisation. Reportedly, personal information, including Aadhaar numbers, can be freely obtained through a simple online search. In a society where Aadhaar is rapidly becoming the key for citizens to access every service, claims about its security merit more rigorous analysis.
While the Centre aims to make a single identification document, the debate on the privacy of data and the legality of the move has already begun with the opposition Congress. "Banking transactions can be hacked. Aadhaar was only meant for public distribution system so that subsidies reach people. Purpose of Aadhaar card is not for the government to pry into others' activities," said Congress MP Kapil Sibal.
Any robust identification mechanism must be able to prevent or adequately remedy identity theft. Identity theft occurs when someone’s identity is wrongfully appropriated, usually to commit crimes. In the case of Aadhaar (Target Delivery of Financial and other Subsidies, Benefits and Services) Act 2016, its design and application are likely to make identity theft easier. Unfortunately, even the legal framework seems inadequate to address these risks. A centralised database, dual use as identifier and authenticator too add to its main weaknesses.
Aadhaar’s design is based on a centralised database called the Central Identities Data Repository that stores every individual’s demographic and biometric information. The aggregation of personal information in one centralised database makes it vulnerable to exploitation, making it a valuable target for hackers, states and identity thieves. Additionally, research suggests that in addition to external threats, centralised databases are also vulnerable to errors and misuse by custodians of the database themselves.
Analysts say the government’s decision to handover the enrolment process to private agencies for a licence fee was wrong and the set-up to secure private details was weak and prone to data mining and hacking. “Most people working on the ground are not trained and are not aware of what norms are to be followed. Imagine the kind of data of more than a billion people that every service centre has access to. There is a reason why an important exercise such as census is performed by the government and not outsourced to small private players,” said activist Nikhil Dey.
Biometric technology companies could store personal information for seven years. In the electronic age, it means the central government has surrendered the data to these foreign companies forever, compromising national security and personal liberty of citizens.
In 2005, researchers came out with a report examining a proposal for a unique, biometric ID in the United Kingdom. In the context of identity theft, the report stated that it was impossible to guarantee the security of such a vast database, which is likely to be accessed millions of times daily and be involved in the exchange of a large amount of valuable information. In 2010, the government there passed a legislation to repeal the project.
An essential feature of the Aadhaar framework is seeding. Seeding allows organisations to feed Aadhaar numbers into their own databases, allowing them to uniquely identify beneficiaries or customers. The presence of one unique number for every individual across multiple public and private databases makes the convergence of this information easier. The legal framework does not prohibit this, and the safeguards for the security of these parallel databases are scant.
Another major concern for Aadhaar roll out is poor verification of the background data.
The poor drafting of the legislation only exacerbates the architectural vulnerabilities of Aadhaar. The law lacks effective checks to prevent identity theft and provide adequate redressal to victims of the crime. In the United States, proposals to combat identity theft have repeatedly emphasised on restricting the use of the social security number, especially by private companies. In light of the recent security breaches related to Aadhaar, the government must introspect on its use as a universal identifier.
But it has many flaws which can lead to identity theft. The recent leaked personal details of former Indian cricket captain, Mahendra Singh Dhoni by a sanctioned Aadhaar enrolment agency exposes a deeper flaw in the identification project’s data collection and storage systems, with experts saying no citizens’ private information is safe.
Reports of the misuse of Aadhaar have brought back concerns about the privacy and security of the project. In February, six employees of telecom service provider Reliance Jio were arrested for fraudulent using fingerprints to activate and sell SIM cards. There were also reports that month about Axis Bank and other entities storing and using biometric data without authorisation. Reportedly, personal information, including Aadhaar numbers, can be freely obtained through a simple online search. In a society where Aadhaar is rapidly becoming the key for citizens to access every service, claims about its security merit more rigorous analysis.
While the Centre aims to make a single identification document, the debate on the privacy of data and the legality of the move has already begun with the opposition Congress. "Banking transactions can be hacked. Aadhaar was only meant for public distribution system so that subsidies reach people. Purpose of Aadhaar card is not for the government to pry into others' activities," said Congress MP Kapil Sibal.
Any robust identification mechanism must be able to prevent or adequately remedy identity theft. Identity theft occurs when someone’s identity is wrongfully appropriated, usually to commit crimes. In the case of Aadhaar (Target Delivery of Financial and other Subsidies, Benefits and Services) Act 2016, its design and application are likely to make identity theft easier. Unfortunately, even the legal framework seems inadequate to address these risks. A centralised database, dual use as identifier and authenticator too add to its main weaknesses.
Aadhaar’s design is based on a centralised database called the Central Identities Data Repository that stores every individual’s demographic and biometric information. The aggregation of personal information in one centralised database makes it vulnerable to exploitation, making it a valuable target for hackers, states and identity thieves. Additionally, research suggests that in addition to external threats, centralised databases are also vulnerable to errors and misuse by custodians of the database themselves.
Analysts say the government’s decision to handover the enrolment process to private agencies for a licence fee was wrong and the set-up to secure private details was weak and prone to data mining and hacking. “Most people working on the ground are not trained and are not aware of what norms are to be followed. Imagine the kind of data of more than a billion people that every service centre has access to. There is a reason why an important exercise such as census is performed by the government and not outsourced to small private players,” said activist Nikhil Dey.
Biometric technology companies could store personal information for seven years. In the electronic age, it means the central government has surrendered the data to these foreign companies forever, compromising national security and personal liberty of citizens.
In 2005, researchers came out with a report examining a proposal for a unique, biometric ID in the United Kingdom. In the context of identity theft, the report stated that it was impossible to guarantee the security of such a vast database, which is likely to be accessed millions of times daily and be involved in the exchange of a large amount of valuable information. In 2010, the government there passed a legislation to repeal the project.
An essential feature of the Aadhaar framework is seeding. Seeding allows organisations to feed Aadhaar numbers into their own databases, allowing them to uniquely identify beneficiaries or customers. The presence of one unique number for every individual across multiple public and private databases makes the convergence of this information easier. The legal framework does not prohibit this, and the safeguards for the security of these parallel databases are scant.
Another major concern for Aadhaar roll out is poor verification of the background data.
The poor drafting of the legislation only exacerbates the architectural vulnerabilities of Aadhaar. The law lacks effective checks to prevent identity theft and provide adequate redressal to victims of the crime. In the United States, proposals to combat identity theft have repeatedly emphasised on restricting the use of the social security number, especially by private companies. In light of the recent security breaches related to Aadhaar, the government must introspect on its use as a universal identifier.