In a shocking security breach of Aadhaar, India’s biometric ID project for residents, the police have arrested 10 men in Uttar Pradesh in North India for successfully creating fake biometrics identities in the Aadhaar database, by cloning fingerprints.

On September 11, the Uttar Pradesh Special Task Force caught a 10-member gang who have been impersonating the credentials of certified Aadhaar operators both by faking the operators’ fingerprints using photopolymer resin, and by illegally cracking open enrolment software of the Unique Identification Authority of India(UIDAI).

As per news reports, the criminal gang lifted the fingerprints of the operators sub-contracted by the UIDAI, printing the fingerprints on a butter paper. Additionally, they illegally used a software vulnerability to bypass the iris authentication check established by the government. Such a breach would allow any one to send enrolment packets into the Central Identities Data Repository, where all biometrics and demographics data of Indian residents are stored.

News reports indicate the revenue model of this latest theft was abased on selling kits of software, and fingerprints at Rs 5,000 each, which allowed people to run fake enrollment agencies.

The police team claimed in raids, they found “38 cloned fingerprints on paper, 46 cloned fingerprints made of a chemical, 12 mobile phones, two Aadhaar finger scanners, two retina scanners, eight rubber stamps, 18 Aadhaar cards”, according to an Indian Express report. The investigation is still on, and Uttar Pradesh Special Task Force have said the network operating the latest Aadhaar scam may extend to several states.

Till two weeks back, the UIDAI and the central government have been.

We demand that the UIDAI:
  • Immediately halt coerced enrolment, linking of services and exisiting IDs to Aadhaar; withdraw of all notifications issues under section 7 of Aadhaar Act mandating Aadhaar for essential services
  • Independent audit of Aadhaar database, by a public agency with public representation 
  • That UIDAI immediately notify and compensate unsuspecting residents whose personal biometrics data may have been compromised at these fake enrolment centers
  • UIDAI make public the records of when did the details of the Uttar Pradesh STF police investigation and raids first come to light, for how long and in how many states have such security breaches been found so far
  • UIDAI must explain to Standing Committee on Home Affairs how many instances of breach / attempt to breach of Aadhaar database has been notified to UIDAI and what has been the action taken by UIDAI in all such cases?

What this latest beach means

The latest incident is a shocking breach of public trust. The government claims Aadhaar is more foolproof than any exisitng Proof of Identity and Proof of Address documents because it is accompanied by biometrics.

As per the UIDAI, only authorised agents can do enrolment, and all enrolment must be validated by the operator’s finger print and iris along, with their Aadhaar number. This breach shows a poor process of approving who could be doing the enrolments as unaudited and unverified enrolments entered the CIDR central database. This attack shows the government’s claims to be false and makes approved enrollments in the CIDR made via these compromised operator accounts worthless.

In this latest security breach, the criminal gang had successfully cracked open the enrollment software. Official statements and news reports on silent on how this was done. The result was that they were able to send enrolments into CIDR by impersonating the credentials of certified operators.

The latest incident shows the UIDAI is unable to guarantee the veracity of data in the Aadhaar repository. It has failed to guarantee the security of residents’ identity information, including core biometrics which cannot be replaced. Experts have also warned that if a fingerprint can be faked on a high resolution scanner used during enrolment, it can definitely be faked on the low resolution scanners used during authentication.

Aadhaar-based biometric scams, identity theft are now a real risk for the poor, especially those with less access to digital literacy.

Lack of legal remedies to citizens
Despite security vulnerabilities, the government of India is continuing pushing residents, including minors and elderly who are especially vulnerable, to enroll into the Aadhaar database. There is a continuous push to enroll along with a threat of cutting off citizens from essential services of food, coking gas, pensions, scholarships, disability aid, and now the threat of cutting off access to bank services and mobile connections, unless they submit their biometrics and link every existing ID to the Aadhaar database.

There is also a worrying absence of legal remedies to residents if their personal data being made insecure by the UIDAI.

Section 47(1) of the Aadhaar Act says: “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”
Thus, UIDAI is responsible for both maintaining the security and confidentiality of identity information and authentication records, as well as for approaching a court in case of a security breach – which is a conflict of interest. There is no provision in the law for residents to get mandatory notifications from UIDAI, if their data is breached.

Worryingly, this is not the first time such a breach has been detected. Four years back, in 2012, Infrastructure Leasing & Financial Services Limited (IL&FS) staff had enrolled 30,000 people fraudulently in Hyderabad.

There is fraud not only at the enrolment stage, but also at the authentication stages leading to identity fraud.

Earlier this year, students at a technology institute in Mumbai demonstrated how easy fingerprints cloning is when they used it to falsify attendance.

Despite warnings from security experts over the years and petitioners approaching the Supreme court that biometrics is an insecure, non-censual, and broken technology, and that biometrics can be easily replicated and cloned using even fevicol and wax, and that such breaches have occurred in other countries, the both the Congress and the BJP government have pushed the residents of India to submit their biometrics into an insecure database.

This coercion must stop, and both the UIDAI and other central agencies mandating Aadhaar must be held to the highest standards of accountability for risking citizens’ personal data into an insecure and compromised database.