It the largest biometric database in the world and it is fraught with security issues
Aadhaar scheme based on unverified data, violates SC order, says OppositionAadhaar data leak on portals can attract 3 years in jail, govt warns statesGovt websites are leaking Aadhaar details. Who will take action against ?After Jharkhand issue, Centre cautions states against Aadhaar data leakAadhaar data leak in Jharkhand raises doubts, again: Here are the details
Over the last few months, the Indian twittersphere has been awash with citizens concerned about government websites leaking millions of individual digital ID numbers.
On May 1, the Centre for Internet and Society, a multi-disciplinary think tank in Bangalore, released a report indicating that faulty information security practices have exposed as many as 135 million ID numbers, leaked from four government databases. The data leaks originated in the process of implementing online dashboards that were likely meant for general transparency and easy administration by the government agencies.
Developed by the Union government of India in 2009, the plan called for the creation a Unique Identification Authority of India (UIDAI) that would issue Unique Identity numbers (UIDs) to all residents of India. Under this scheme, now known as Aadhaar, the UID number ties together several pieces of a person’s demographic and biometric information, including their photograph, ten fingerprints and an image of their iris. This information is all stored in a centralized database.
The scheme has so far enrolled 1.13 billion Indians and residents of India, making it the largest biometric database in the world.
This has become a point of pride for government agencies involved in the program. Information Technology Minister Ravishankar Prasad (@rsprasad) tweeted:
Expanding programmesAadhaar was built to be used as an identity authentication mechanism that could have multiple services being built on top of it. The scheme was run under an executive order from its inception in 2009 until the Aadhaar Act was passed in 2016. The strategies employed by its supporters generated substantial controversy, and it since has been challenged in the Supreme Court on budgetary grounds. But thus far, it remains in place.
The UIDAI has maintained that the scheme is voluntary. Yet the central government has pushed state governments to include UID for a wide range of essential government services meant to be available to the public.
Independent news portal Scroll regularly covers issues related to UID’s linkages with various welfare programs through its Identity Project. In recent years, Scroll has identified multiple examples of public services being denied to individuals who did not have a UID.
Six months after Aadhaar was introduced in Rajasthan, state officials report that 10-15% of beneficiaries who normally received food grains from the government (under the National Food Security Act) have been denied some or all of their rations because the system could not authenticate their UIDs. A local farm laborer told Scroll that his rations had been drastically reduced since the arrival of Aadhaar. “In some cases, when we put our fingers, the machine reads out 5 kg, 10 kg, or 15 kg as our entitlement. But we are entitled to 35 kg as per the government norms.”
Advocates are quick to note that there is no adequate avenue to remedy in these situations, leaving citizens with little recourse or ability to seek that these errors be corrected.
Delicate infrastructure and its misuse
According to economist Jean Drèze, the new authentication system requires a lot of fragile technologies to work at the same time, such as a point of sale machine, internet connectivity, biometrics, remote servers and mobile networks. He also maintains that the primary cause of corruption in disbursement of food subsidies is related to the quantity of rations distributed or quantity fraud, which UID doesn’t address.
Another economist who has worked extensively on these issues, Reetika Khera points out that the exclusion of large number of people from welfare schemes has not been because of lack of an identity, but rather due to “measly budgets and exclusion errors.“
Contention with the court
The Supreme Court issued two orders in September 2013 and March 2014 which stated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled.” On August 11, 2015, the court issued yet another order which limited the use of UID to food, kerosene and cooking gas subsidies. On October 15, it further expanded it to four more schemes: the National Rural Employment Guarantee Scheme, Pradhan Mantri Jan Dhan Yojana (a scheme for financial inclusion), and policies related to pension and provident funds, after the government argued that it would be difficult to roll back UID now that it is the most used national identity system and is linked to service delivery in several major welfare schemes.
‘Leaky’ by design
Following the repeated arguments by the state that UID makes it possible to weed out ‘ghost beneficiaries’ and ‘de-duplicate’ multiple IDs, revelations of fake ‘UID cards’ began to circulate. These UID cards were reportedly issued under the names of pets, historical figures, one alleged spy and even gods.
Not the only option. The other option is if the ED & Min of Corp affairs do their bloody job properly! https://twitter.com/ANI_news/status/855299522682961920 …
@Memeghnad Also, it’s as if there are no fake Aadhaar numbers. They bloody gave an Aadhaar to a cat, dog and Jhansi Ki Raani!! https://scroll.in/article/826089/it-isnt-just-dhoni-uidai-received-1390-complaints-about-aadhaar-agents-but-took-no-legal-action …pic.twitter.com/dkaZDxDdeN
More recently, the Indian twittersphere has been vocal in pointing to government websites leaking sensitive information from the UID database. In February, security researcher Srinivas Kodali exposed a parallel database containing UID numbers and other details of 5-600,000 children.
In another case, UID numbers of scholarship-holders sat on a state government website for over a year.
On March 22, 2017, tech worker @St_Hill exposed the severity of the problem by showing spreadsheets of personal data that appear with just a single Google search.
Okay I wrote a 1000 word thing about Aadhaar. What’s the best way to share – do people read blogs nowadays? Medium? Twitter thread?
So I wrote a few words about Aadhaar. Will be happy to be proven wrong if you find something incorrect https://medium.com/@St_Hill/i-wrote-a-few-words-about-aadhaar-34e141afb725#.icmnt9792 …
4 other issues that need UIDAI/Aadhaar’s attention – St_Hill – Medium
While the debates around privacy, database security and mandatorification of Aadhaar rage on, these 4 issues/flaws too need attention.
This was immediately taken down. But new ones continue to appear with other simple Google searches.Under the hashtag #AadhaarLeaks, Twitter users have reported numerous such cases on various government websites. The leaks gained popular attention on social media when former Indian men’s cricket team captain MS Dhoni’s UID appeared in a tweet sent by a UID enrollment operator.
The government response
This was rejected by angry twitterati through the hashtag #AadhaarFail which now offers a compendium of tweets about UID-based authentication failures.In the last couple of months, after the privacy and security-related concerns became louder, the UIDAI has shut down enrollment operators, websites and payment applications for misuse of biometrics data. The central government has even warned state departments against leaking UID data on their portals.
As the uncertainty looms, privacy researcher Amber Sinha and aforementioned security researcher Srinivas Kodali estimated the size of #AadhaarLeaks.
Our report on the scale of #aadhaarleaks 130 million #Aadhaar data was public. 100 million were linked to bank A/Chttp://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1 …
Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability…
In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers.
It remains to be seen how the government will react to this.
This article by Rohith Jyothish originally appeared on Global Voices on May 2, 2017