Above: Access to basic services like health and education will also be determined by biometric scans.
The government’s decision to link these vital numbers to bank accounts could trigger a wave of economic offences. It is time this decision that threatens the banking system is reviewed
~By Ajith Pillai
Is India sitting on an Aadhaar crime bomb that will soon begin ticking? Imagine a scenario where money is transferred from your account into another or vice versa by an unknown entity without your knowledge; when your fingerprint is placed at a scene of a serious crime to implicate you; when criminals track virtually all your activities and plot their next move; when foreign funds are transferred into your bank with devious intent and you find your account blocked pending investigations into your mysterious source of foreign monies…. All this and much more is very much in the realm of possibility thanks to your 12-digit Aadhaar number.
And to speed us on the risk-prone biometric highway is the June 1, 2017 notification (No2/F. No P. 12011/11/2016-Es Cell-DOR) of the Department of Revenue under the Finance Ministry which makes it compulsory for account holders to link their accounts with their PAN and Aadhaar numbers before December 31. 2017. Companies too will have to submit the same identification numbers to the banks, of their board members or those who have been authorised to transact business on their behalf.
Many cyber security experts are of the view that the Unique Identification (UID) programme, launched in 2010, has evolved dangerously and will become a veritable password for those indulging in a range of cyber-related crimes. At the receiving end will be ordinary Indians who now have to furnish the number for virtually every activity of their daily life—from buying a cellphone to opening a bank account.
To them, and to a sizeable section in the police, cyber-crime is an alien concept and the government’s reluctance to accept glitches in the UID programme has not helped. But despite all the apprehensions and a clutch of pending petitions in the Supreme Court relating to the validity of the scheme and privacy concerns, the government has been doggedly pushing ahead with ushering in a biometric revolution of the kind the world has hitherto not seen.
Initially meant to provide an identity for the poor and to ensure that there are no leakages in money transfers under various welfare schemes, the Aadhaar net has been widened to encompass virtually every aspect of life. School admissions, mid-day meal schemes, driving licences, pensions, income tax payments, rail and air tickets and soon, opening a bank account or maintaining one, will require the person’s Aadhaar number.
And each time one shares a number with a new agency/service platform, the number of points from which personal data can be accessed by undesirable elements multiplies. And once the data thief gains access to the data, which includes facial image, image of the iris and fingerprints, he can access the respective bank account because it will be linked to the Aadhaar card.
A copy of a fingerprint is all that will be required to effect transfers or payments into another account using the Bhim app or a point of sale (POS) machine which requires only a fingerprint as proof and bypasses the need to swipe a debit or credit card. The Bhim app, introduced to facilitate cashless transfers by the unlettered, necessitated the need to link UID numbers and data to banks. Now the government has mandated that all accounts holders must also be linked through Aadhaar.
This gives a different dimension to data theft as it can facilitate serious financial fraud. It is no longer just about big corporations mining data to size up your credit rating or spending patterns to focus and target their marketing efforts. Neither is it about the CIA keeping a tab on India’s demographics. What we are talking about is an invasion of privacy which may come with a huge criminal quotient and could impact every citizen.
The dividends from data mining are so huge and the implications so varied that this has already begun. It will not be long before the crimes start. Here are some pointers which also reveal how data is not secure with the government:
- On February15, 2017, the Unique Identification Authority of India (UIDAI) which is mandated to implement the Aadhaar scheme reportedly filed cases against employees of Axis Bank, Suvidha Infoserve and e-Mudhra for attempting unauthorised authentication and impersonation by illegally storing Aadhaar biometrics. The security breach came to light after 397 fake biometric transactions were carried out in five days of February.
- On February 18, the Hindi news daily Dainik Bhaskarreported the arrest of six salespersons of telecommunications service provider Reliance Jio in Madhya Pradesh for selling SIM cards at inflated prices by using the Aadhaar data and fingerprint scans of other customers.
- In April this year, the Aadhaar details of one lakh pensioners in Jharkhand who had seeded their UID numbers to bank accounts was freely available on the website of the Jharkhand Directorate of Social Security. A few days later, a leading national daily found that “secured” data was available on the websites of a scholarship database in UP; the PDS website of the Chandigarh administration; a pensioners’ listing in Kerala and the Swachh Bharat Mission.
- A report released in May 2017 by the Centre for Internet and Society, a Bangalore-based organisation looking at multi-disciplinary research and advocacy in internet use, reveals that in the past few months, data of 13.6 lakh citizens was leaked from four major government data bases, including the portals of NREGA and National Social Assistance Programme.
- A note generated on March 25 by an official of the Ministry of Electronics and Information Technology accessed by the New Indian Express, confirmed that biometric data was not secure. “There have been instances wherein personal identity or information of residents, including Aadhaar number and demographic information and other sensitive personal data such as bank account details etc. collected by various Ministries/Departments… has been reportedly published online and is accessible through an easy online search,” said the note displayed on the front page of the newspaper. The same ministry on March 5 had issued a statement that the Aadhaar data was absolutely secure.
The financial misuse of data has not been lost on experts. Sunil Abraham, executive director of CIS, has been quoted as saying: “Biometrics is an inappropriate technology for financial services. Linking Aadhaar, which has your biometric data, with bank accounts makes you a lot more vulnerable to financial frauds than before. Your fingerprint can easily be collected at a restaurant or any other public place and can be used to steal your identity and commit frauds. The government needs to rethink its use for Aadhaar as it will impact over a billion people.”
The Foreign Hand
In 2010-2012, Unique Identification Authority of India (UIDAI) awarded contracts for biometric profiling to three US-based Biometric Solution Providers (BSPs). These were—L-1 Identity Solutions, Morpho-Safran, and Accenture Services Pvt. Ltd. All three reportedly have business contracts with US, British and French intelligence agencies. There are also reports in the international media of former intelligence operatives in the employment of these companies and their subsidiaries.
The companies, as per the contract, were given Rs 20 crore each by UIDAI for their services. The charges paid per card was Rs 2.75.
This money went to foreign companies. The UID programme was not an indigenous effort as claimed by Nandan Nilekani, chairman of the UIDAI, when it was launched and the contracts with the foreign companies were signed.
The UIDAI has often made statements that the data collected is encrypted and inaccessible to the BSPs. But the contract with the three companies, accessed by an RTI activist, shows that they had access to unencrypted biometric data. As part of their contract, these BSPs had to weed out duplicate applications. This involved comparing the biometric data of all applicants which necessitated access to it.
It is not known whether the mass of biometric data was copied and stored abroad or sold. But given the demand for data, the possibility of this having happened cannot be ruled out. Also, one cannot say with certainty that it will not be put to use in future by intelligence agencies or exploited by corporates.
Clause 4.1.1 of Annexure ‘E’ of the contract admits that demographic data is inaccurate. Despite RTI requests, UIDAI has refused to provide Annexures ‘I’, ‘J’ and ‘K’ of its contracts with Biometric Solution Providers. It has even refused to comply with the orders to do so by the Chief Information Commissioner, citing security reasons. These annexures give the technical bids of the contractors which would specify the limitations.
Prashant Pandey, who knows a thing or two about cyber security and was the whistle-blower in the Vyapam scam, fears that the linking of Aadhaar cards to bank accounts could lead to serious frauds. He told India Legal: “Just imagine a trickster operating from outside India with leaked Aadhaar database and hundreds of POS machines with the biometric payment system, Bhim. He can pull money out from bank accounts to an anonymous destination abroad. The possibilities are immense unless security is tightened and data secured.”
Professor Anupam Saraph, an expert in governance of complex systems, describes the linking of Aadhaar to bank accounts as a move which will “enable benami bank accounts and scale benami transactions to destroy the Indian economy along with the Indian banking system”.
“The Aadhaar number is for all residents in India. It cannot hence, serve as ID for Indian citizens. It is not an ID card, but a number in a database. Every time people have to be identified, identification is needed by scanning biometrics from the UIDAI database, which is impractical.”
—Colonel Thomas Mathew, anti-Aadhaar campaigner
In his blog, Saraph lists several reasons why he feels the Aadhaar-bank account linking is dangerous. Innocent account holders, he notes, will find their UID numbers being used as “mules for money laundering”. Or their payments under government schemes easily compromised by tricksters. Worse, they can be “framed for economic offences” if someone deliberately transfers illegal money into their accounts. This, in turn, would lead to harassment and accounts being frozen pending investigation.
But how can fingerprints be copied and misused? Pandey pointed to the example of the Vyapam entrance examination scam for MBBS in Madhya Pradesh. Here, qualified persons fronted for the real candidates and wrote the exam on their behalf despite fingerprint scanners being used before allowing access into the examination hall. How were the scanners fooled? “The fake candidates merely copied the fingerprints of the real candidates on a silicon film and wore it on their thumb. This happened in not one or two cases but in several hundreds of them. What happened in Vyapam is proof of how unreliable fingerprint identification is,” he said.
Fingerprints from the Aadhaar database, once accessed, can easily be copied and used to implicate someone in a crime. Pandey believes it is a real possibility. “Your fingerprint can be placed at the scene of a crime by vested interests who can frame you with the help of the police. The prospect of misuse is frightening,” he said. Pandey hopes to demonstrate how Aadhaar data can be misused before the apex court.
Noted human rights activist and senior Supreme Court lawyer Indira Jaising said that privacy concerns are not to be taken lightly. She told India Legal: “As a citizen, why should I surrender all my personal details to the government so that it can be misused against me? Why should people know which hospital I go to or which school my child attends? Why should they know where I am travelling to or on which airline I have booked my tickets? Once all my activities can be mapped, the information can be used to perpetrate a crime against me. Why should I allow that?”
However, those who endorse the UID scheme brush aside privacy concerns by saying that such apprehensions reside only in the minds of those who are involved in illegal activity or have unaccounted wealth and would not like their bank transactions to be monitored. However, what is missed out is that there are already enough ways to keep tabs and there is no need to store personal data which can easily be stolen. “As for Aadhaar providing biometric proof of identity, the less said the better,” said Colonel Thomas Mathew, a Bangalore resident and one of the first to file a civil suit in the apex court against Aadhaar.
“The UID/Aadhaar number is for all residents in India (who could also be outsiders on an extended visa). It cannot hence, serve as an ID for Indian citizens. It is not an ID card, but a number in a database. The UID scheme envisages that people would be identified every time identification is needed, by scanning biometrics and querying the UIDAI database. This is impractical. UIDAI itself admits that demographic data is inaccurate. If demographic data is unreliable, UID cannot be proof of ID,” Mathew told India Legal.
As for the fallibility of biometric data, he quotes the 2010 study titled “Biometric Recognition—Challenges and Opportunities” by four US national academies—the National Academy of Sciences, the National Academy of Engineering, the Institute of Medicine and the National Research Council.
The first principal finding of the research was that “biometric recognition is inherently probabilistic and hence, inherently fallible”. According to estimates, under field conditions, the false matches are 1 in 16.
Added Mathew: “The actual number of false matches is even more—1 in 10. This fact is known from an ignorant, inadvertent admission of UIDAI in its counter-affidavit to my writ petition in which it stated that 80 million fake/ duplicate enrolments were detected (at a time when about 800 million enrolments were done). So, mathematical prediction is proved by ground reality data.”
Even in the Madrid train bombings case of 2004, fingerprints taken at the scene of the crime matched those of 20 people in the FBI database. When even the limited data bank of criminals with the FBI is fallible, imagine the probability of error when the entire population of a country as vast as India is involved.
Ahead of the 2014 general elections, the BJP had opposed the UID programme. In fact, Mathew was invited to make a presentation against Aadhaar before a BJP Parliamentary Party presided by LK Advani. The unanimous view then was that Aadhaar was a security risk and must be vehemently opposed. But things changed after the BJP came to power. Notes Mathew: “The party has done a complete ‘U’ turn without giving any reasons.”
In the final analysis, before the nation heads towards a total Aadhaar regime, it is perhaps time for the government to reassess the entire UID programme to plug the inherent security lapses. Also, it must not promote its use as proof of identity. It was only last month that the Union home ministry issued a communiqué: “Aadhaar (UID) card is not an acceptable travel document for travel to Nepal/Bhutan.” A valid national passport or election ID card issued by the Election Commission would however serve as proof.
Therein lies the harsh reality and identity crisis…