A few days back, Asia Times and Medium, a popular website reported on security holes in the Aadhaar system. Saikat Datta wrotethat a number of people have warned the UID Authority of this hole, without getting any response. Today, the French security expert, who goes by the twitter handle Elliot Alderson @fs0c131yand had earlier exposed a number of security breaches in the Aadhaar and government websites, has tweeted the detailsof a YouTube video that shows a software that can be used to edit the personal data of anybody enrolled in the Aadhaar system; that too without any security checks! And to add insult to the injury – for UIDAI – the person who posted the video is asking those who liked his video for contributions to his PayTM account.
Is the video fake? If it is, we can heave a sigh of relief. The problem is that very similar complaints have been made by various people to UIDAI without any response, indicating that this software is available for as little as Rs. 500. Anand Venkatanarayanan, in his Medium piece, has also explained why a software – called ECMP (Aadhaar Enrolment Client Multiplatform) software – that resides in the e-Kendra computers, can be hacked more easily. And if it is hacked, it will allow any change in the personal data of the person enrolled in the Aadhaar database. This means the mapping between the biometric and the personal data can be changed.
UIDAI’s contention is that the biometric database cannot be hacked and remains behind secure walls (13 feet high according to the Attorney General). The problem is not that the ridges and whorls of our fingers are safely stored, but whether the name and other details, attached to the fingerprints, are truly mine. If they are not secure and can be changed by buying a Rs 500 software, it means identity theft can occur on a mass scale. And more service providers are added to the Aadhaar system, more potential of holes for such identity thefts. This is the central risk of the Aadhaar system. And our nightmare.
We have been warning the government in our columns and videos, why the Aadhaar system is a poor one and will not lead to any foolproof identity verification system. If biometrics are used, poor connectivity, lack of electricity, apart from at least 10% of biometrics like fingerprints not being verifiable, will defeat the system. If biometrics are dispensed with, the Aadhaar ID proof is as good as self-certification. Why then, are tens of thousands of crores being spent on the system?
The logic of the system lies elsewhere. Yes, Aadhaar system leaks like a sieve. It is capable of being bypassed in various ways. Yes, people who are legitimate beneficiaries of various systems are being denied their dues or rations, as the biometric system does not work properly.
So what is the purpose of Aadhaar? For the government, it provides a method of collecting a huge amount of information of the citizens: religion, caste, geotagging of their houses, collating it with their income and expenditures, etc. This is a surveillance tool that can be used against individuals and communities. For a government that is against a particular section, it can be used to bypass from development in certain areas, where a particular community may be staying. For big Indian capitalists, such as Ambanis, it provides the tool of big data at government expense. Once such big data is available, the capitalists can tap into it in various ways. This is why, from a Nilekani to an Ambani, all of them have lined up behind Aadhaar.
Unfortunately for both the government and big capitalists, the ecosystem of Aadhaar, as engineered and deployed, is so poor that it is likely to fail. Sooner rather than later. Even if the Supreme Court does not strike it down on our privacy violations.
The Aadhaar system is increasingly looking like a ship with a large number of holes. How long can its captain – UIDAI – continue to deny these leaks? And how long will we pump in good money after the bad?