It the largest biometric database in the world and it is fraught with security issues

Aadhaar

Biometric data being collected for Aadhaar registration. Photo: Reuters

Over the last few months, the Indian twittersphere has been awash with citizens concerned about government websites leaking millions of individual digital ID numbers.

On May 1, the Centre for Internet and Society, a multi-disciplinary think tank in Bangalore, released a report indicating that faulty information practices have exposed as many as 135 million ID numbers, leaked from four government databases. The data leaks originated in the process of implementing online dashboards that were likely meant for general transparency and easy administration by the government agencies.

Developed by the Union government of India in 2009, the plan called for the creation a Unique Identification Authority of India (UIDAI) that would issue Unique Identity numbers (UIDs) to all residents of India. Under this scheme, now known as Aadhaar, the number ties together several pieces of a person’s demographic and biometric information, including their photograph, ten fingerprints and an image of their iris. This information is all stored in a centralized database.

The scheme has so far enrolled 1.13 billion Indians and residents of India, making it the largest biometric database in the world.

This has become a point of pride for government agencies involved in the program. Information Technology Minister Ravishankar Prasad (@rsprasad) tweeted:

113 crore people in India have #Aadhaar . India has the world’s largest digital identity system. #DigitalIndia



Expanding programmes
was built to be used as an identity authentication mechanism that could have multiple services being built on top of it. The scheme was run under an executive order from its inception in 2009 until the Aadhaar Act was passed in 2016. The strategies employed by its supporters generated substantial controversy, and it since has been challenged in the Supreme Court on budgetary grounds. But thus far, it remains in place.

The has maintained that the scheme is voluntary. Yet the central government has pushed state governments to include for a wide range of essential government services meant to be available to the public.

Independent portal Scroll regularly covers issues related to UID’s linkages with various welfare programs through its Identity Project. In recent years, Scroll has identified multiple examples of public services being denied to individuals who did not have a

In Delhi in 2015, food rations were denied to those without UID numbers. In April 2016 in the Ajmer district of Rajasthan, UID-enabled food subsidies repeatedly recorded authentication failures.

Six months after was introduced in Rajasthan, state officials report that 10-15% of beneficiaries who normally received food grains from the government (under the National Food Act) have been denied some or all of their rations because the system could not authenticate their UIDs. A local farm laborer told Scroll that his rations had been drastically reduced since the arrival of “In some cases, when we put our fingers, the machine reads out 5 kg, 10 kg, or 15 kg as our entitlement. But we are entitled to 35 kg as per the government norms.”

Advocates are quick to note that there is no adequate avenue to remedy in these situations, leaving citizens with little recourse or ability to seek that these errors be corrected.

In spite of multiple court orders making voluntary and limited to selected schemes, the government continues to expand its scope.

Delicate infrastructure and its misuse

According to economist Jean Drèze, the new authentication system requires a lot of fragile technologies to work at the same time, such as a point of sale machine, internet connectivity, biometrics, remote servers and mobile networks. He also maintains that the primary cause of corruption in disbursement of food subsidies is related to the quantity of rations distributed or quantity fraud, which doesn’t address.

Another economist who has worked extensively on these issues, Reetika Khera points out that the exclusion of large number of people from welfare schemes has not been because of lack of an identity, but rather due to “measly budgets and exclusion errors.

Contention with the court

The issued two orders in September 2013 and March 2014 which stated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled.” On August 11, 2015, the court issued yet another order which limited the use of UID to food, kerosene and cooking gas subsidies. On October 15, it further expanded it to four more schemes: the National Rural Employment Guarantee Scheme, Pradhan Mantri Jan Dhan Yojana (a scheme for financial inclusion), and policies related to pension and provident funds, after the government argued that it would be difficult to roll back now that it is the most used national identity system and is linked to service delivery in several major welfare schemes.

‘Leaky’ by design

Following the repeated arguments by the state that makes it possible to weed out ‘ghost beneficiaries’ and ‘de-duplicate’ multiple IDs, revelations of fake ‘UID cards’ began to circulate. These cards were reportedly issued under the names of pets, historical figures, one alleged spy and even gods.

More recently, the Indian twittersphere has been vocal in pointing to government websites leaking sensitive information from the database. In February, researcher Srinivas Kodali exposed a parallel database containing numbers and other details of 5-600,000 children.

Yesterday I was informed about a website which was publishing #Aadhaar numbers of minors. We informed the authorities and brought it down.

In another case, numbers of scholarship-holders sat on a state government website for over a year.

On March 22, 2017, tech worker @St_Hill exposed the severity of the problem by showing spreadsheets of personal data that appear with just a single Google search. 

Okay I wrote a 1000 word thing about Aadhaar. What’s the best way to share – do people read blogs nowadays? Medium? Twitter thread?

So I wrote a few words about Aadhaar. Will be happy to be proven wrong if you find something incorrect https://medium.com/@St_Hill/i-wrote-a-few-words-about-aadhaar-34e141afb725#.icmnt9792 

Photo published for 4 other issues that need UIDAI/Aadhaar’s attention – St_Hill – Medium

4 other issues that need UIDAI/Aadhaar’s attention – St_Hill – Medium

While the debates around privacy, database security and mandatorification of Aadhaar rage on, these 4 issues/flaws too need attention.

medium.com

This was immediately taken down. But new ones continue to appear with other simple Google searches.Under the hashtag #AadhaarLeaks, Twitter users have reported numerous such cases on various government websites. The leaks gained popular attention on social media when former Indian men’s cricket team captain MS Dhoni’s UID appeared in a tweet sent by a enrollment operator.

The government response

The responded to the uproar with a campaign entitled #AadhaarStars, in which parents of young children were encouraged to post 30-second videos of what meant to them.

This was rejected by angry twitterati through the hashtag #AadhaarFail which now offers a compendium of tweets about UID-based authentication failures.In the last couple of months, after the privacy and security-related concerns became louder, the has shut down enrollment operators, websites and payment applications for misuse of biometrics data. The central government has even warned state departments against leaking data on their portals.

As the uncertainty looms, privacy researcher Amber Sinha and aforementioned researcher Srinivas Kodali estimated the size of #AadhaarLeaks.

Our report on the scale of #aadhaarleaks 130 million #Aadhaar data was public. 100 million were linked to bank A/Chttp://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1 

Photo published for Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability...

Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability…

In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers.

cis-india.org

.@iotakodali @ambersinha07 Report talks about data leaks from 4 Govt websites. The one I’m interested in is MNREGA. Are you saying the national website is leaking?
4/ pic.twitter.com/KceLanOcrE

@Memeghnad @iotakodali Important to understand these are not so much as leaks as proactive publication of #Aadhaar Numbers & other data. #leakagebydesignpic.twitter.com/amNfqJAuxL

View image on Twitter

It remains to be seen how the government will react to this.


This article by Rohith Jyothish originally appeared on Global Voices on May 2, 2017