Aadhar: Can UIDAI catch all instances of stored biometrics?

Now that it is known that exact matches are not acceptable and are in fact a violation of a law, those fraudsters and criminals who steal biometrics will take care that they ensure that every time the biometric template should at least differ sufficiently.

There is an interesting news about the all pervasive AADHAR ( the biometric fingerpint project which is touted to be the unique id that will solve all our problems) project. Three companies — Axis Bank, Bangalore based eMudhra, and Mumbai based Suvidhaa Infoserve — are booked for using stored biometrics to authenticate the biometrics, which is a violation of the Aadhar act. The Aadhar act apparently stipulates that one cannot use stored biometric to authenticate a fingerprint.

These companies used stored biometrics to authenticate a fingerprint. The penalty for this is 3 years of imprisonment. As their defense, these companies claim that they were only testing their software.

I dont know if the techies were really testing their software or they were upto some mischief. However, being a developer/tester myself, I know that when one tests software one needs sample data. And the process of getting sample data cannot be too complicated and one needs easy access to it, so that one can focus on the real part – that is checking functionality of the software and detecting and fixing bugs. It is but natural then that a developer would need something stored in memory rather than call a person who has an aadhar number again and again and ask him to give his fingerprints to do his testing. Whether the developer was aware of this law or not, I dont know, but if indeed he was testing software, he was satisfying his needs correctly by having something at hand ( in memory perhaps or on disk) that he could use again and again, and do his job quickly.

If there was a law, then he should have been made aware of it, or at least the project lead should have been aware of it. If a developer spends all his time in understanding legalese, he would not be able to focus on his real job.

The interesting part is that aadhar authorities say that they got a perfect match in two biometrics as obviously given that the biometrics was stored, no bit would differ. That gave them an idea that the biometrics is stored and it is not a live finger as a live finger would probably never give the exact same biometrics as the biometric template would differ in a few places at least.

This is brilliant; however to go after people who may be genuinely doing testing is unfair. Again, I do not know if the techies were testing their software or were upto some mischief.

More importantly, now that it is known that exact matches are not acceptable and are in fact violation of a law, those fraudsters and criminals who steal biometrics will take care that they ensure that every time the biometric template should at least differ sufficiently, so that they are not found guilty of having a stored biometrics.

So, what does this mean? Aadhar disclosing the reasons about what exactly happened can give ideas to fraudsters on how to fool the UIDAI. Thus, knowing the above, fraudsters can now beat the scrutiny of UIDAI.

The law that stored biometrics should not be used for authentication is brilliant. After all, one of the biggest concerns about Aadhar is that fingerprints would be stolen. They can then be used in two ways to authenticate. Make a clone of a fingerprint using fevicol or some such thing, or store it digitally. The illegality of the latter is absolutely correct. The big question however is whether UIDAI can catch all instances of stored biometrics.

As I mentioned above, if the fraudsters change the biometric template by a bit every time, UIDAI wont be able to get an exact match, hence its method of finding stored biometrics will fail. There is one other way that I can think of by which one can make out that a fingerprint is stolen. If the same person authenticates himself from two geographically dispersed locations within a time in which it is not possible to reach the other location from the first, one can safely conclude that one of the two places is using a stolen fingerprint. Which one however is difficult to figure out. This also requires that the end location info is available to UIDAI. Sometimes, UIDAI may only be able to see the location of the proxy. I am not aware of the details of the architecture here.

One needs to note here that to do the above, the UIDAI needs to know and store the location info. This would be a huge privacy issue as it would lead to surveillance directly. Nandan Nilekani the founder of Aadhar had made many promises to allay the privacy concerns. One of them was that the database would only give a yes or no answer. Already, now we know that the database is storing much more info — whether it was an exact match or not is already being stored. In other words, promises of privacy are going for a toss one by one.

To summarize, Aadhar has a lot of technology issues that makes it a broken technology. See my earlier articles on Aadhar here and here regarding the above.

Among the many reasons why Aadhar is broken, an important one is that it is impossible to ensure that fingerprints will never ever be stolen. This is essentially true of almost all passwords, but use of a fingerprint as a password which aadhar does is particularly problematic.

Consider the use of a password consisting of a few letters and digits, which is usually the case. While a password is secret, one also keeps space for the fact that a password could get stolen and hence it will sometimes need to be changed. There is alway a provision for changing a password. In case of a fingerprint as a password, there is none. Once a fingerprint is stolen, it is lost for good; the only option is surgery to alter the finger prints. Use of a fingerprint as a password thus should be a no – no except in small controlled environments such as a corporate entity where things are monitored closely. In a huge country like India, it is impossible to ensure that biometrics are not stolen. It is not for nothing that big countries such as UK and US do not use fingerprints for authentication on a nation wide scale. ( Note that the FBI uses fingerprints for identification. Identification is a different process. In identification, in the final phase, one physically tries to match the fingerprint template of a potential match with the one in the database. And more importantly, one does not take decisions of authentication on such a match in real time, a thing that could have great financial implications as in the case of UIDAI.)

Thus, once one’s fingerprint is stolen, one is left out of the Aadhar project. One way to allay the issue was to ensure that one cannot use stolen fingerprints for authentication. Disallowing stored fingerprints and catching them while authentication was one way. But as this article shows, while there is some progress made by UIDAI here, all instances of these cannot be caught by UIDAI, and hence they are far from allaying these concerns. Security of data, and issues of deduplication are other serous concerns with Aadhar that still remain.

The government is trying to push Aadhar irrespective of ground conditions. The SC has mandated that Aadhar should not be made mandatory yet many govt. departments are making it mandatory violating all SC guidelines. It is time for the authorities to wake up.

PS: UIDAI was not contacted for this article. Previous queries to UIDAI have resulted in no or evasive response

http://www.thesecurityblog.in/feb2417.html