India’s leading financial newspaper, The Economic Times, featured a piece today, You can’t make citizens safer by making them more vulnerable. Aadhaar does exactly that that spotlighted flaws in India’s Aadhaar universal identification number scheme– including its undue reliance on biometrics.
As I discussed at greater length in an October post, Biometric ID Fairy: A Misguided Response to the Equifax Mess that Will Only Enrich Cybersecurity Grifters and Strengthen the Surveillance State, the Aadhaar system is being held up as a model by those who would like to capitalize on the Equifax data breach by replacing US Social Security numbers with a biometric identification system.
Given that the Aadhaar scheme is being touted as a model for the US to consider, I thought it would be worth spelling out some of its flaws, many of which are well known in India but with which the core of Naked Capitalism’s readership is not familiar.
Linkage of Accounts to Aadhaar
The Government of India and its various bureaucracies, aided and abetted by Indian courts, are mandating widespread use and linkage of accounts to the twelve-digit Aadhaar number. Thus, Indians must now supply an Aadhaar number when they apply for a bank account, as well as link any existing accounts to that number (otherwise, the bank account is frozen). SIM cards are tightly controlled in India, and Indians must now link their Aadhaar number to their mobile ‘phone accounts (including mobile wifi systems).
The use of Aadhaar doesn’t stop there and is in fact accelerating, according today’s Economic Times piece:
Next year, there is a plan to roll out Aadhaar-linked programmes like a Public Credit Registry with transaction data, and the National Health Information Network electronic health records. The risk of personal information leaks increases with more services getting linked to Aadhaar due to security vulnerabilities, or sheer incompetence of the government or third parties.
A couple of problems flow from this centralizing approach. First, the more basic services and accounts are linked to Aadhaar, the greater the consequences that follow from potential hacks. For not only will financial information be compromised by such a hack, but also mobile phone service, and all and any other services linked to the Aadhaar number.
Second, as today’s Economic Times piece makes clear,the terrorism boogeyman is being trotted out to justify a steady surrender of privacy– even though wider Aadhaar verification may actually supply a false sense of security. Once a person produces an Aadhaar number, it’s assumed that it was legitimately obtained– when that may indeed not be the case:
In October 2016, Delhi Police busted an Inter-Services Intelligence (ISI) spy ring and found that Mehmood Akhtar had an Aadhaar card naming him as Mehboob Rajput. In May this year, the Central Crime Branch found that three Pakistanis had obtained Aadhaar cards in Bengaluru through a middleman for Rs 100 each. More recently, Zeebo Asalina, an Uzbek national arrested in Orissa, had an Aadhaar card naming her as Duniya Khan.
Telecom Regulatory Authority of India (Trai) chairman and former CEO of the Unique Identification Authority of India (UIDAI) R S Sharma suggested … that security agencies may have a better chance of nabbing potential terrorists if all mobile connections are verified using Aadhaar. There is a major flaw in this assertion.
What is common in the aforementioned cases is that these Aadhaar cards were based on forged documents. Since UIDAI does not conduct verification by itself, it retains the flaws of these documents and is not ‘fraud-resistant’. In fact, once they have Aadhaar, things may get easier for potential terrorists, given the incorrect perception that it is foolproof (my emphasis.)
Touchingly Naive Faith in Biometric Fairy
I want to highlight another problem: the misplaced overreliance on biometrics. The single most serious problem with such reliance – which I discussed in my October piece cited above–is that unlike a number, once compromised, your biometrics– fingerprints, eyeballs, DNA– cannot be changed. Another October Economic Times piece, Watch out, Aadhaar biometrics are an easy target for hackers expands on the security vulnerabilities of relying on such systems for authenticating identity:
Biometric data, unlike passwords, can never be changed, so if hackers successfully impersonate a fingerprint then they can cause serious havoc, and there is not much the victim will be able to do about it.
With the recent government policies making biometrics the central identity verifier via Aadhaar information, a billion consumers could be walking a thin line between security and convenience. Though it becomes extremely convenient to make transactions via a single touch on your smartphone, it also means that all a malicious hacker needs to get is your fingerprint. Once he gets that, there’s no stopping. Identity theft and fraudulent transactions may just be the beginning.
Now, the government of India had averred that the biometric information collected under the Aadhaar system is secure. [Jerri-Lynn here: They would, wouldn’t they?] But as the article continues, that is not, actually the case:
The government claimed that Aadhaar is completely secure, and the data of the consumers was absolutely safe from any malicious party until a severe flaw was detected in the system. The bug allowed a malicious operator to save a user’s biometrics and simply use it to carry out transactions on the victim’s behalf via replaying the saved biometrics.
What I found particularly worrying is the ease with which fingerprints can be stolen:
Hackers can easily clone your fingerprints to gain access to your life. What’s scarier is that it’s neither too costly nor too difficult.
Fingerprints can be picked up from daily objects easily or mass attacks are possible if the servers of UIDAI are hacked. Hackers can also skim fingerprints via malicious biometric devices just as with infected credit card machines. The problem here though is that you can block your credit card but not your fingerprint.
The possibilities expand when 3-D printing technology is brought into play:
This can be done via digitally replaying the print to authenticate applications and transactions. Another possibility is to use 3D-model printers to simply make a physical copy of the print. It is even possible to make physical fingerprint replicas using simple dental moulds and some playing dough. According to a research at the Department of Computer Science and Engineering at Michigan State University in the US, fingerprints can be replicated in less than $500 with conductive ink fed through a normal inkjet printer, in a procedure that takes less than 15 minutes. According to researchers at CITER, the disturbing thing about fingerprints is they can be hacked just by using everyday items like some dental mould to take a cast, some playing dough to fill it. All they need is an impression of a person’s fingerprint. Using the cloned fingerprint, the hacker can enter every mobile application or devices that use the fingerprint as a security measure.
The same October Economic Times piece discusses simple ways to hack other types of biometric identification: including facial recognition, retinal scans, and voice recognition.
So, it appears that the biometric ID fairy is actually not going to save the day here.
In fact, the opposite is actually the case, with the rush to widen Aadhaar creating a serious risk of potential catastrophe.
Regular readers are well aware of the misery and economic chaos that followed from Prime Minister Modi’s botched demonetisation plan– which I discussed on several occasions, most recently in Remember, Remember the Eighth of November: India’s War on Cash Assessed One Year Later. (See also other coverage here, here, here, here, here, and here.) One reason demonetisation was such a debacle is that India remains a largely cash-based economy, and simply lacks the digital infrastructure that might have allowed its residents to cope with the nearly instantaneous cancellation of most of its currency in November 2016– and the failure to supply replacement currency quickly, and in sufficient amounts, to allow for normal economic activity to continue.
But don’t just take my word for the poor state of India’s digital infrastructure, particularly in rural areas. See this piece from yesterday’s The Wire, Alongside Modi’s Digital India, a Mounting Pile of Unanswered Network Quality Complaints, discussing how India’s deficient digital infrastructure is thwarting the drive to shift Indians away from cash and toward more digital transactions:
A year after demonetisation, an examination of complaints received by the Department of Telecommunications (DoT) shows that thousands of people across the country are struggling to make online transactions due to the lack of a mobile signal or because they receive their OTP (one-time password) messages three or four hours after they initiate a transaction.
These complaints aren’t restricted to a particular provider but instead point to a systematic quality of service issue.
The quality of service problems associated with India’s telecom network has been well documented. While the total data payload in the country’s network grew over 60% last year, India ranked 89 among 100 countries in terms of average mobile internet connection speeds. Various reports over the last two years have shown how frequent call and packet drops, network outages and congested networks result in poor coverage and increased download times.
Hacking Aadhaar and Digital Infrastructure
As the October Economic Times piece discusses, the potential for hacking Aadhaar also poses another threat to this digital infrastructure, if and when it ever gets up and running:
The government has made Aadhaar mandatory for Indian citizens to avail of many government services. Aadhaar is being used almost everywhere now. If the data gets leaked, unlike changing your passwords or creating a new account, people won’t be able to change their fingerprints or their facial structure. The digital infrastructure that the government is trying to push all across the country can come crumbling down if proper security measures are not at place.
The glorious dream of Digital India could simply be a disaster if a billion countrymen finally get digitalised and a single hack gives malicious hackers a lifetime access to their digital assets and identity.
India is marching full speed ahead on Aadhaar plans, at a time when other countries– Estonia, Spain– are having second thoughts about such arrangements and in spite of the considerable burdens–mainly time and hassle– it imposes. I happen to be visiting India at the moment, and just a couple of weeks ago, I accompanied a friend as he purchased a new SIM card and wifi hotspot device. As I mentioned above, India tightly controls issuance of SIM cards. And the process my friend had to undergo to purchase a new wifi connection was anything but simple, requiring him to supply name, address, his mobile number; produce his Aadhar card; and be fingerprinted. Had to be seen to be believed!
This same friend mentioned that he’d just received notification from his mobile phone company, requiring him to verify a new account he’d opened in July– even though he’d supplied his Aadhaar number when he created that account. I know the plural of anecdote is not data, but imagine the costs Aadhaar is imposing, with everyone having to make time, in person, to produce an Aadhaar card and verify telecoms accounts (not to mention bank accounts, etc.) And that’s just the start of it.
This is in contrast to the situation in London, where last time I visited, SIM cards were available in vending machines. Many other Asian countries– Indonesia, Malaysia, Thailand– make it similarly easy to purchase a “burner” SIM– for use in a ‘phone, dongle, or other digital device. Same in Australia, New Zealand, the US.
Today’s Economic Times article mentions in passing what I think is the crux of the matter:
The [Indian government’s] cavalier attitude towards privacy — that privacy cannot be at the cost of innovation — which Union information technology minister Ravi Shankar Prasad put forth at the prestigious Global Conference on Cyberspace (GCCS) in New Delhi on November 23, indicates the willingness to put citizens’ personal safety at risk: that your privacy is a price that GoI is willing to pay for making it easier for businesses to be built around your data.
Or, to make a slightly different point: creating Aadhaar and and other similar technological solutions from scratch provide spectacular opportunities for grift– and that is perhaps the primary reason that so many are cheering on such efforts so loudly– despite their myriad deficiciencies.
This is not a model that the US should seek to follow, as it considers what policy should be adopted in the wake of the Equifax hack. The current Social Security number system is not without its flaws, but biometrics are no panacea, either.
By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She now spends much of her time in Asia and is currently working on a book about textile artisans.