You can set up a maximum security biometric identity system in a high security facility with all round controlled access but the moment you take it to a national level, it develops any number of leakage points.
After 38 days of hearings over 4 months in what was the second longest case to be argued in India’s constitution history, the Supreme Court finally reserved judgment in the Aadhaar case on May 9, 2018. It may be several weeks before judgement is delivered but already, it is clear that events have overtaken the case: events that may have rendered the whole exercise futile. Curiously, the heat, dust and animated debates over the last years seem only to have clouded the issues, which in themselves are easy to understand.
As the situation stands today, the Supreme Court is called upon to decide amongst others what seem to me to be two key critical questions. First, given the control that government gets over citizens, should any government be allowed to make Aadhaar mandatory? Second, given Aadhaar’s data leak risk, is linking Aadhaar to PAN cards, driving licences, passports, bank accounts, mobile phones, property transactions, and whatever else besides, legally defensible?
Aadhaar started as a simple attempt to create a national data base, which could then be used for the simple task of verifying identity. It worked on the assumption that biometric data is idiot proof and unchangeable. If you have lived long enough to experience aging, a quick review of your old photo album will tell you different. Even if we ignore its false Aadhaar (basis!!), a simple database is not what Aadhaar has become today. It now encompasses all your interaction with the world both private and public. If you want roti, kapra or makaan, leave alone mobile phones and bank accounts, you need Aadhaar. The government wants it to be the ultimately proof that you exist at all. Indeed, the law obliges you to keep it up to date. When your biometrics change, Section 31 of the Aadhaar Act requires you to update your data. I must not forget to mention that you have no access to this data so you really have no way to know if your data has changed.
This is simply the beginning of the Aadhaar’s Kafkaesque nature. To capture your biometric information, the government appointed vast numbers of fly by night low end operators who maintained no visible quality standards. I got my biometrics captured on an ancient computer in a village market on the seedy end of Gurgaon and I could see that my fingerprints looked like abstract art. That may be no problem for the operators since they themselves seem to have no significant obligation to maintain the integrity of their data about me. They could sell it, fake it or even switch it for someone else’s data. The really scary part of this identity card is that unlike a passport, PAN card, driving licence or voter card, you have no means to ascertain what is in the database. If you don’t know which part of you is not you in government records, you can’t get the government to recognise who you really are.
What happens if you can’t prove that you are you? The government says the supplementary OTP will do the trick. Figure this: once the biometric authentication fails, your mobile number is your whole identity! When you had your Aadhaar card made, do you recall if you shared your mobile number with that friendly neighbourhood bucket shop operator? Consider this: once biometric data is compromised, it can never be used again because it is now in the public domain. You have public property!
Let me assure you none of this is scare mongering. Reports of Aadhaar data leaks are common. In May 2017, the Bangaluru based Centre for Internet and Society reported that data of 13.5 crore cardholders had already leaked online. It revealed that four government websites had serious security flaws: National Social Assistance Programme, National Rural Employment Guarantee Act (NREGA), Daily Online Payment Reports under NREGA (Govt of Andhra Pradesh) and Chandranna Bima Scheme run by Government of Andhra Pradesh. This is only one of about thirty reports Google found for me within seconds. On July 20, 2017, the government admitted that around 210 government websites had been leaking sensitive information including Aadhaar.
The antics of mobile phone companies are the most Orwellian. Aadhaar data was never intended to land up in the hands of private business. The government’s insistence that mobile number be linked to Aadhaar has meant that these companies now have your name, address, Aadhaar card, and e-wallet details. If you use fingerprint security to control access to your smartphone, they have that too. Can you be certain that facial recognition software is definitely not working in the background of your phone? Is your Iris data compromised too? Mobile companies routine sell your information to third party marketing companies. In 2017, the website “magicapk” published a list of leaked personal details of 120 million Reliance Jio users. The website has since been suspended.
Today, we are at a point where the software architecture of Aadhaar has lost credibility too. On July 28th, 2017, the press reported that Abhinav Srivastava, co-founder of Quarth technologies, had created an “Aadhaar e-KYC” app that accessed the UIDAI API without authorisation. On September 10, 2017, in reports of the Kanpur Fake Aadhaar Enrolment scam, authorities stumbled on enrolment software that had been reverse engineered to bypass iris scan authentication for operators. On January 4, 2018, the Tribune reported that access to Aadhaar data could be purchased for as little as Rs 500 on social media. The next day, India Today reported a sting operation where details of Aadhaar card applicants were obtained from enrolment agents for as little as Rs 2 to 5 per applicant.
The latest twist in this tale is the saga of P Santosh Kumar (The Wire July 2, 2018) who paid the prescribed fee and obtained copies of Sale Deeds containing finger prints of persons who had registered property transfers at the local Sub Registrar’s office. The Sub Registrars of many states ask for Aadhaar details as well. Other states have these records digitised and available on-line. Santosh Kumar then inverted the image and used the well know polymer printing technique to create fingerprint moulds. This allowed him to activate 6,000 SIM cards which have a substantial value in the black market where criminals and terrorists pay premium bucks for SIM cards without KYC (or someone else’s KYC). As I said, when Aadhaar fails, UIDAI’s prescribed “biometric locking” requiring the linked mobile phone to be used as proof of identity. If someone can access your Aadhaar number, fake your finger and get a SIM card in your name, fundamentally, your identity is gone and you are toast. That’s for life. Now anyone can be you, for as long as you live, and considerably after that too.
This is why very few countries have ever adopted national UID systems. Malaysia’s MyKad, which dates back to 2001, is one of the oldest biometric identification systems. It is a chip-enabled card and operates as a single point of authentication in places like ATM kiosks, highway toll booths, electronic cash counters and as a public identifier. Malaysia is unique. Only Brazil, Ghana and Indonesia have tried something similar, but none of them have tried to set up a single point all-purpose mandatory identikit. The reasons seem obvious.
It is for the same reason that no first world country has anything like it. The liberal democratic impulse imbedded in post war Europe and America makes it difficult to get a buy in. Indeed, the EU has come up with stringent Data Protection Guidelines that would torch Aadhaar in a minute. America does have its Social Security Number (SSN) tool to ascertain the income of any American individual and calculate the amount of social security credit they’re entitled to based on their individual financial health. The US issues SSNs only to its citizens and doesn’t collect any biometric data of the individuals that are enrolled in the scheme. SSN is a dumb number that attaches to an individual’s profile in a company or US government agency’s database. In that, it’s like a PAN card. Ultimately, there are federal and state-level laws in the US that restrict the use of SSN across different government databases as a marker to identify a person’s identity. In 2007, the US firmly decided against encapsulating its citizens’ biometric profile to the Social Security Number cards. Why have all these countries refused to establish an Aadhaar like system?
This is what it comes down to. You can set up a maximum security biometric identity system in a high security facility with all round controlled access but the moment you take it to a national level, it develops any number of leakage points. It takes too many players to keep the show on the road, and it is impossible to guarantee that every player will be secure. Second, gizmos and software to crack the system are coming on the market all the time: if you can build it, someone can hack it. It’s not that Aadhaar has been terminally compromised: it’s that a system like this will always be easily compromised and in a hundred ways. Given the foregoing facts, is ‘what do we do with Aadhaar’ even a meaningful question to ask? If this is not a disaster already, what more remains to go wrong? Given the brutal and now well-known facts, what is it exactly that we want the Supreme Court to decide for us?