Pune: The Unique Identification Authority of India (UIDAI)’s move to introduce features such as face authentication and virtual ID to strengthen security of Aadhaar data is being seen by experts as an “admission” that the current features are not secure.
With the Supreme Court slated to hear Aadhaar petitions on January 17, experts have voiced concern that UIDAI’s knee-jerk reaction was a last-minute attempt to cover up lack of security of humungous data stored in one place.
E-governance expert Anupam Saraph said that the decision to come up with virtual ID was admission by UIDAI that storage of Aadhaar number was “dangerous and wrong”.
“If these were not so, virtual ID (VID) would be unnecessary. The introduction of VID also shows that UIDAI had failed to implement its own Aadhaar Act and authentication regulations that prohibit storage of Aadhaar numbers,” he said.
UIDAI has been unable to enforce the law and restrict usage of Aadhaar numbers in strict compliance of section 8 of the Aadhaar Act and the Aadhaar (Authentication) Regulations, 2016. Even the technology solutions provided by UIDAI violate regulations by including Aadhaar number in eKYC records, he added.
The expert felt that virtual IDs would make no difference as Aadhaar numbers stored by banks, telecom companies, educational institutions, hospitals and government offices cannot be recalled.
Instead of restricting public use to only VID, UIDAI was still allowing global Aaadhaar user agencies to store Aadhaar numbers.
This will result in Aadhaar numbers being stored contrary to the Act and regulations, stated the expert.
Petitioner Vickram Crishna said that it was surprising that a year back UIDAI had no doubt about other authentication and now suddenly it has introduced face authentication. ‘They are rushing these ahead of hearing on January 17,’’stated Crishna, who had filed his petition against Aadhaar in 2012.
His co-petitioner G.Nagarjuna, professor at Homi Bhabha Centre for Science Education, Tata Institute of Fundamental Research, said adding new features would not make any sense.
“Teja main hoon, FaceAuth idhar hai.”
Let me show in five tweets using @UIDAI‘s own circular how misleading and useless this feature is gonna be. Not to mention open up another vector for attacks, leaks and frauds. #AadhaarFacePalm https://t.co/tjyIsRjBNE
— Suhail (@tweepul) January 15, 2018
UIDAI’s circular on Face Authentication 👉🏻 https://t.co/JnmQlKjuRX
This is the preface for the need of Face Auth (point 3, 4a) #AadhaarFacePalm pic.twitter.com/yqvkwjAiwX
— Suhail (@tweepul) January 15, 2018
1) UIDAI ack’s some ppl face difficulty in biometric auth’n. Thank God for small mercies – until now they’ve vehemently rejected that charge
2) Many AuAs (UIDAI partners) have not yet deployed FP or iris devices
3) FaceAuth intends to provide additional choice #AadhaarFacePalm— Suhail (@tweepul) January 15, 2018
1)
So how are they gonna implement it? Something called “Fusion mode” which needs any one of the two biometrics AND Face Auth.#AadhaarFacePalm pic.twitter.com/rUqqqYQzON
— Suhail (@tweepul) January 15, 2018
Bonus: Last week @ceo_uidai claimed your photo was not pvt data and “mere leak of demographic data” that included one’s photo (@thetribunechd story) was no big deal. Now they introduce Face Auth as a feature. What a joke! @UIDAI at least learn to keep your lies straight.
— Suhail (@tweepul) January 15, 2018
#Aadhaar #FaceAuthentication will work with laptop & Mobile camera. That means it won’t even be able to check whether the entity authenticating is a living warm human or a simple cold photograph. A secure face auth needs infrared temperature sensor.
January 16, 2018 at 5:00 pm
The addition of ‘ face identification’ to strengthen aadhar security is an indication of the lacunae present in the project. This will also mean further complications may not be ruled out