The government has made it mandatory the registration and use of Aadhaar is every aspect of the citizens’ life, claiming its safe; but is it really?
A report from the Tribune on Thursday morning revealed yet another major weakness in the architecture built around Aadhaar, the Indian government’s 12-digit unique identity project designed to cover every resident of the country. While previous leaks have seen government websites giving away some data meant to be kept confidential, the Tribune story suggests that unverified agents can get access to demographic details of every single person enrolled in the Aadhaar database.
For a fee of merely Rs 500, a reporter from the newspaper was able to get access to personal details of any of the 1 billion people enrolled, and for another Rs 300, was able to print out Aadhaar cards for any given number.
How the hack works
That is a staggering security error, one that covered the entire Aadhaar database.
Here is how it worked: The Tribune reporter paid an agent Rs 500 through PayTM. The agent then created a gateway with a login and password allowing the journalist to search directly in the database. “Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI [Unique Identification Authority of India], including name, address, postal code [PIN], photo, phone number and email,” says the report, by Rachna Khaira.
For another Rs 300, the agent provided software that permitted the reporter to print out an Aadhaar card for any number put into the system, complete with photo, address and other details. The Tribune report claims that this is possible through access originally provided to over 3 lakh village-level enterprise operators who had originally been enlisted by the UIDAI to carry out Aadhaar enrolment. In November 2017, the UIDAI withdrew this job from the village-level and other operators due to security concerns, moving the task to post offices and designated banks. But, as per the reporter who conducted the hack, these operators still have access to the demographic details across the database and are now charging a fee to offer this to anyone.
What does it mean?
Anyone who has your Aadhaar number can quite easily collect all sorts of other information about you, including your photo, home address, phone number and more. They can even print out a duplicate Aadhaar card.
This does depend on someone getting access to your Aadhaar number in the first place, a number that is supposed to be kept secret. But as numerous reports have shown just recently, often government websites themselves have been leaking Aadhaar numbers, making it easy for just about anyone to access them.
The UIDAI issued a press release denying the Tribune story and insisting that there has been no Aadhaar data breach. “UIDAI assured that there has not been any Aadhaar data breach. The Aadhaar data including biometric information is fully safe and secure.” The authority claimed that the search facility, which allowed the reporter access to demographic data using just an Aadhaar number, is meant to help designated personnel and state officials provide help to citizens who have grievances.
“UIDAI reiterates that the grievance redressal search facility gives only limited access to the name and other details and has no access to biometric details. UIDAI reassures that there has not been any data breach of the biometric database which remains fully safe and secure with the highest encryption at UIDAI and a mere display of demographic information cannot be misused without biometrics,” the statement said.
But recent events have shown this to be untrue.
The simple example is a reminder of how often Aadhaar is now used as an identity document now without biometric authentication, such as an ID proof at an airport. Being able to print out anyone’s Aadhaar card turns this into a major vulnerability.
But there is more to it than that.
In October, reports of several cases of bank fraud being investigated by police in Delhi and Noida, wherein the alleged conmen simply needed access to the Aadhaar number and the phone number linked to it in order to siphon money out of accounts. The fraudsters did not need to breach UIDAI’s biometric database to steal money, they only needed the demographic data attached to an Aadhaar number – the same details that the Tribune reporter accessed – in order to carry out the con.
Not the first time
Some of this is actually not new. In April 2017, it has been reported on some demographic data and Aadhaar numbers showing up through a simple Google search. In fact, the Tribune story instead suggesting that people are now starting to monetize their fraudulent access to the Aadhaar data. This means the Tribune story is most likely just the tip of the iceberg, especially because of how easily it was done. It is as likely that others have managed to download entire tranches of the demographic data from the Aadhaar database, if not the entirety of it, and can now use all of that personal information for anything from data-mining to fraud.
Yet UIDAI’s response all along has been to insist that there is nothing to worry about because the biometric data has not been compromised. “Mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for a successful authentication fingerprint or iris of the individual is also required. Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded. Aadhaar data is fully safe and secure and has robust uncompromised security.”
The impact of a report like this could be wide-ranging or it could end up being ignored for the most part, other than the authorities cracking down on the individuals involved in this case. The broader question raised by this incident relates to the data protection law, which the government told the Supreme Court it would bring in, in connection with the question of whether Aadhaar is a violation of the fundamental right to privacy. The Justice BN Srikrishna Committee has been asked to come up with data protection recommendations. But what use are those if all demographic data from Aadhaar enrollees is already in the hands of those who should not have it?
The media report also mentioned that groups operating on the internet targeted village-level enterprise (VLE) operators operating under the Common Service Centres Scheme and said the VLEs had gained illegal access to Aadhaar data to subsequently claim to provide “Aadhaar services”. A UID official said they were looking at the claim but pointed out that enrolment agents did not have access to the Aadhaar system.
With the Supreme Court due to soon pronounce on the validity of the use of Aadhaar for a range of services, the claim of a data theft raised a flurry of reactions, with Left leaders saying the incident exposed the frailty of the UID system. Senior police officials said that by entering Aadhaar numbers, one could get details that are available on an Aadhaar card, along with the phone number.
Kiran Jonnalagadda, co-founder of tech discussion forum HasGeek and Internet Freedom Foundation, said the Aadhaar system is insecure.
“The backdoor has already been opened. It is quite easy to hack into their systems and the stolen demographic identities can be misused in a lot of ways,” he said. He is one of the petitioners in a change.org petition demanding proper auditing of Aadhaar database. A person working with the government on Aadhaar-related projects said while leaks should not happen, no material leak had happened in this case.
“Aadhaar has less information about you than even the voter ID card,” he said, adding that such leaks could happen even in the voter ID card system or the RTO. The Indian system does not allow any agency, including the government, to access a resident’s data, without authorization from the person. He said telecom operators and others in the US can look up a citizen’s data by accessing his/her social security number without even the citizen knowing about it.
UIDAI said Aadhaar is not a secret number. It is to be shared with authorized agencies whenever an Aadhaar holder wishes to avail a certain service or benefit from government schemes.