Aadhaar: India’s Honey Pot for Hackers

Despite the Aadhaar being heralded by the Indian Government and organisations such as the World Bank as a silver bullet of modern governance, innumerable issues and criticisms remain unresolved. Foremost amongst these is the allegation that the Aadhaar project violates the privacy of 1.2 billion people, given the extent of information that is linked to the Aadhaar number that could be used for surveillance and profiling of an individual. A challenge to the Aadhaar project is currently pending before the Supreme Court on these grounds.

Integral to the issue of whether the Aadhaar violates privacy is the security of Aadhaar data. The Indian Government has often advanced a two-fold and somewhat contradictory argument to defend the Aadhaar project in the context of cybersecurity: first, that the data contained in central identities repository (“CIDR”) is 100% secure, and second, that absolute security cannot be guaranteedanywhere in the world where technology is used and hence such concerns should not derail the use of technology itself. Both arguments are, however, seriously flawed. It has been proven conclusively that leakages of sensitive personal data have occurred multiple times at other points in the Aadhaar infrastructure pipeline, thereby making the (claimed) unimpeachable security of the CIDR meaningless. Moreover, the assertion that technology cannot be discarded solely because of the risks it poses, grossly underestimates the implications of exposing the sensitive personal data of individuals; particularly from a privacy, personal autonomy and national security perspective.

The moot point in this context is whether the Aadhaar infrastructure suffers from a grave cybersecurity risk. If it does, then the consequences of this risk being realised need to be analysed. Where such consequences are dire, the restructuring or even abandonment of the Aadhaar project needs to be considered. The analysis of these issues forms the primary focus of this article.

Accordingly, the first section analyses the primary cybersecurity risks faced by the Aadhaar project. The second section reviews the issue of whether a centralized biometric database can be secured against threats. The third section focusses on the possibility that the data collected by the Unique Identification Authority of India (“UIDAI”) is already been compromised by domestic and foreign interests, and the fourth section describes the possible repercussions of the Aadhaar data being compromised.

The hypothesis put forward at the start of this article is that the Aadhaar project’s usage of biometric data and the inter-linkage of personal information across databases creates a potentially catastrophic risk to both the individual and the nation. If this holds out, the Indian Government should not hesitate from pulling the plug on the entire project, just as other countries have done in the past, irrespective of the sunk costs already incurred.

 

1.            The Cybersecurity Risks of the Aadhaar Project:

1.1          Inadequate safeguards during enrolment and authentication:

1.1.1       Weak points in the Aadhaar infrastructure

“The gravest threat to the security of the Aadhaar project comes at the points of enrolment and authentication of Aadhaar numbers. The fact that the registrars, enrolment agencies, and authentication requesting entities that might store and subvert information presented to them is a definite risk that has been realised on several occasions. “

In February 2017, the UIDAI itself issued notices to three entities providing authentication-related services for the illegal storage and misuse of biometric data collected from Aadhaar holders, thereby proving vulnerabilities at different points of the Aadhaar pipeline.

Protection against compromises at this level is difficult, despite the security policies prescribed by the UIDAI and device certifications mandated by the STQC. Agents at these points will always be able to use compromised devices to facilitate (i) the substitution or tampering of biometric data submitted at the point of enrollment, and (ii) storage of the biometric data submitted through the authentication device for subsequent use. The UIDAI will not be able to monitor conduct of these entities across the country, and even the mandatory registration of all biometric devices linked to the Aadhaar by way of embedding an encryption key, would not protect against a biometric device compromised at the hardware level from, since encryption provides assurance solely at the software level. Once a biometric is stored locally, it is compromised permanently; it can thereafter be altered minimally and used to fraudulently authenticate another transaction without raising any suspicions from the system.

Note also that the Aadhaar infrastructure envisages the use of personal devices to initiate authentication requests. For example, the BHIM App launched by the Prime Minister facilitates payments through fingerprint verification on a mobile device. Yet, there can be no protection against mobile phones that might be compromised by virtue of the unsecured hardware involved, and in this context note that over 50% of the smartphones used in India being of Chinese manufacture. This represents a potentially catastrophic risk in the event of a conflict between the two nations.Moreover there is no national encryption policy that could protect against such data theft at the application layer, which is disturbing, as the Indian Government is pushing businesses and start-ups to use the India Stack to authenticate transactions with customers.

 

1.1.2       Failure to specify security standards:

Although the Aadhaar Act empowers the UIDAI to mandate the security policies, data management practices and technological safeguards to be adopted by third party entities engaged for involved in the provision of Aadhaar-related services, these have not yet been specified. Even the Aadhaar (Data Security) Regulations, 2016 only goes so far as to detail the powers of the UIDAI in prescribing security standards binding on all parties involved in the Aadhaar project, while leaving the actual stands to be specified by the Authority at a later date. An analysis of the regulations issued under the Aadhaar Act reveals that the phrase “as specified by the Authority” has been used 51 times.

The implementation of such a critical project without sufficient legal and technical safeguards, has served to seriously undermine the security of the Aadhaar project. Large amounts of Aadhaar related data have already been leaked, and adequate security standards are long overdue. This is compounded by the lack of basic cyber hygiene of most participants in the Aadhaar pipeline, particularly government agencies involved. Consider the fact that a large proportion of the leakages of Aadhaar-related data has come from websites operated by State agencies. In a study conducted by the Centre for Internet & Society (“CIS”) on government departments using the Aadhaar pipeline for financial and banking services, it was found that four Government departments running different government projects had made public, the sensitive personal information of over 135 million Aadhaar holders on their portals. In April 2017, for instance, allegedly on account of a programming error, a website maintained by the Jharkhand Directorate of Social Security made the Aadhaar numbers of lakhs of pensioners available to the public.

“The status quo with regard to cyber security and data protection in India is important in the Aadhaar context, given that numerous private parties may and are necessarily required to be contracted by the UIDAI for the performance of various functions related to the project. Yet, the Indian government has shown no urgency in introducing cyber-security assurance standards and imposing better practices through regulatory framework. Indeed, the complacency of the Indian government in securing the Aadhaar system was displayed in the delayed declaration of the CIDR as a protected system under Section 70 of Information Technology Act, 2000 (“IT Act”). This was done on December 11, 2015, five years after the collection of biometric and demographic information first began.”

Thus the Indian Government has rushed the Aadhaar project despite the general state of cybersecurity in India being deplorable, which might well have led to the compromise of a majority of the Aadhaar data already collected. This is discussed in greater detail in Section 3 below.

 

1.2          Use of biometrics for identification and authentication:

1.2.1       Biometrics are public and inherently unsafe:

“The foremost argument against the use of biometrics in the Aadhaar infrastructure is that biometric data is public by its very design. A person’s fingerprints are the most scattered signature of his life on earth, and can be easily duplicated through the use of silicon film or even wax. The same issue exists with iris scans, which can be captured at a distance without the knowledge of the target, using high resolution cameras. Neither of these features are truly private, and can be harvested without the knowledge of an individual, thereby making terrible tools for authentication.”

To understand this argument better, consider the differences between identification and authentication. Identity is a public representation of individual information, while authentication is confirmation of that identity under a challenge, usually for a specific and private purpose, such as making payments. Thus while identity may be based on publicly available data, such as a person’s name or lineage or other identifiers, authentication should never be based on anything remotely public on account of the significant chance of misuse. Thus, the dependence of the Aadhaar on the use of biometrics enables the possibility of identity theft and fraud, by anyone with access to a good camera or a magnifying glass and impressionable film.

 

1.2.2       Biometrics are inaccurate and error-prone:

Biometric authentication is a measure of probabilistic process, and biometric matching never returns an absolute match or even a consistent match. This is because minor variations in the biometric occur each time a scan is generated, and are dependent on several factors such as atmospheric conditions, impurities on the body part, dust particles on the scanner, ageing of the human body, etc. These variations manifest in differences of the matching score, and thus the change of error always exists. For this reason, biometric authentication cannot be taken as a failsafe proof of identity.

This is particularly relevant in the context of the problems faced during the Aadhaar enrolment process: it was often found that the biometric data gleaned from homeless people was imperfect, and the biometric machines could not identify the unique contours of fingers damaged by harsh living conditions or manual labour. People with mutilated fingers were excluded from the enrolment process for prolonged periods, until specialised equipment and certification could be obtained. An expert witness before the Lok Sabha Finance Committee stated that it was proven that failure to enrol peoplebased on fingerprint data was as high as 15% in the Indian environment, given the dependence on manual labour. This effectively means that approximately 180 million Indian citizens are likely to develop unreadable fingerprints at some point in their lives.

Also Problematic is the high rate of errors in technology using biometric authentication. An early experiment conducted by the UIDAI itself indicated that the expected proportion of duplicates, i.e. a fingerprint reading of one Aadhaar holder that matches that of another Aadhaar holder (“Duplicands”), for 1.2 billion people is expected to be 1/121. This means that the biometrics of nearly one lakh registered Aadhaar number holders will match the biometrics of other Aadhaar number holders; a ratio that is unacceptably high for an authentication system providing the gateway to accessing essential public services. Interestingly, note that since September 29, 2010 until August 2, 2016, the UIDAI has deactivated 85,67,177 Aadhaar numbers on account of inadequacies in the biometric data captured. Many of these could have been for no fault of the Aadhaar number holder, but instead on account of the flaws of the biometric matching system itself. Individual reasons for the deactivation was not provided in a majority of these cases.

 

1.2.3       Biometrics are irrevocable:

“Importantly, the biometric information of a person is irrevocable. Once a biometric is compromised, the value of that biometric is entirely undermined and there is no going back. If the fingerprints of an Aadhaar card holder is compromised or freely utilised by unauthorised persons in the public domain, the only solution available to the affected party is to lock his biometric data in the CIDR. It is for this reason that many security experts prefer old fashioned passwords to biometrics.”

The fact that the Aadhaar infrastructure provides the option to lock biometric data is ironic, as it amounts to an admission of the inherent unsafeness of using biometrics for authentication. Recall that anyone forced to lock her/his biometric data on account of fraud or misuse is excluded from authenticating any transaction for the period of the lock-out.

Thus biometrics are inherently unsafe and unsuitable to the purposes for which the Aadhaar project is supposedly established, and a system of smart cards would be far better suited from a cybersecurity perspective.

 

1.3          Linking data across databases to the Aadhaar number:

1.3.1       Correlation of identities enables surveillance:

Surveillance generally refers to the sustained ability of an entity to monitor or review the movements and activities of an individual. Accordingly, the ambit of surveillance is not restricted solely to live or real-time events, but will include the access to past events in the life of the targeted individual. In this context, the Aadhaar project enables absolute surveillance of Aadhaar number holders by the Government and any other party that gains access to Aadhaar-related information, whether legally or otherwise.

This is made possible by the mandatory linkage of the Aadhaar number to, inter alia, personal account numbers, bank accounts, medical records, phone numbers, tax returns, welfare programmes, which creates a digital biography of meta data on an individual’s life that is highly vulnerable.  This information may be exploited by the Government in a number of ways, including the discovery and retaliation against dissidents identified using such data; an example would be the compilation of a list of people present at an anti-government protest by matching the location of cell phone users gleaned from phone records that are linked to Aadhaar numbers.

Moreover, the linkage of databases using the Aadhaar number enables private parties to track an individual’s activities across other private domains, since the Aadhaar number is known to authentication agencies at the time of authentication. This would incentivise the sharing, by businesses and other private entities, of the transactional data of their customers using the Aadhaar number as an identifier, thereby leading to identification without consent.

 

1.3.2       Inter-linkage creates vulnerable dependencies:

By mandating the linkage of Aadhaar across the board, the Government has effectively made independent systems reliant on the Aadhaar infrastructure. An increasing number of Government services are using the Aadhaar for authentication purposes, and hence access to these services by individuals is now dependent on technological process that is prone to errors and external attack.

Significant in this context are the issues of Duplicands, and failures to authenticate because external factors, both of which are discussed in Section 1.2.2 above. These issues have caused numerous instances of people being denied food, pensions, mobile connections and even emergency medical services, thereby excluding people, for no fault of their own, from accessing essential services and welfare benefits that they are legally entitled to.

Further, the Indian Government is actively encouraging private parties to make authentication of the Aadhaar number mandatory for private transactions, and the Aadhaar Act does nothing to prevent this. Accordingly, greater dependencies are being created on the Aadhaar infrastructure, and it would only take a single concentrated cyber-attack on the system to cause widespread chaos and immobilisation of services.

 

2.                The (de)merits of a centralized biometric database:

2.1             Prime target for cyber-attacks

The Indian Government has repeatedly stressed the unimpeachablesecurity of the CIDR. Yet, the unreliability and heightened risk of a centralised biometric database, particularly one that contains sensitive personal information and linkages to other essential databases, is well established.

“Numerous studies have indicated that the creation of a centralized biometric database holding the biometric and demographic information of citizens poses too great a threat to national and individual security. This is because such databases represent a veritable goldmine to hackers, terrorists and even other nation states, and inevitably face sustained external attacks.”

The risks are increased manifold in the case of a CIDR like system, which is linked to the provision of essential services in the country. This makes it an attractive target for attacks like ‘distributed denial of service’ (“DDOS”), which temporarily stop the CIDR from responding to authentication requests and thereby disrupt the provision of essential services. Additionally, a single breach or security lapse would compromise all of the data held within, thereby driving privacy violations and instances of identity theft sky high.

Instances of critical infrastructure being hacked across the globe are plentiful. In 2012, DDOS attacks on US Banks caused a prolonged outage that caused large financial losses by preventing customers from accessing their accounts. In 2013, a large financial institution was hacked and the customer information of 83 million customers stolen. In 2015, the national power grid of Ukraine was shut down for hours, leaving over 200,000 people without electricity for 6 hours. In 2017, a global ransomware attack (“Wannacry Incident”) infected 45,000 computers across 74 countries, including (i) the National Health Service of the UK leading to mass disruption of medical services, and (ii) telecommunications utilities in Spain. The Wannacry Incident also crippled systems of several organisations in India, including the Andhra Pradesh Police and a car manufacturing plant outside Chennai; note that an estimated 70% of all ATM machines in India run on the outdated version of Windows XP that was exploited by the Wannacry ransomware.

“It is therefore naïve to imagine that the CIDR is beyond threat or capable of withstanding attacks. Yet, the Indian Government has betrayed a sense of disregard for the potential security risks. When posed with the question as to whether the government possessed “the technology to protect the hacking of bank accounts, hacking of income-tax accounts through the Aadhaar number”, the response (provided by the present Finance Minister) was that new technology always carried the risk of being compromised, and that this was no reason to reject the the adoption of technology. This argument grossly underestimates the consequences of a technological system that could compromise the biometric information of 1.2 billion people.”

 

2.2             Precedent for abandoning a centralized biometric database:

In 2010, the United Kingdom abandoned its flagship ‘National Identity Card Scheme’, which was impugned on account of serious criticisms over the project, including reasons such as: the technology being ‘unsafe, untested and unreliable’; the entire project ‘lacking a foundation of public trust and confidenceand the effect of creating a ‘fundamental change the relationship between the State and citizen’. Other key considerations were that the interdependency of the proposed registry on devices and networks operated by private parties added to the overall vulnerability, and the fact that the recommended cyber assurance specifications could not be met by a majority of the private third parties involved in the processes.

Interestingly, these concerns were summarily dismissed just a year later by the Standing Committee on Finance (2011-12) as inapplicable to the Indian context, in their report on the then proposed National Identification Authority of India Bill, 2010 (“NIAIBill”). The reasons advanced by the Committee for this were the supposed differences between the UK Scheme and the Indian Scheme on the grounds of:

 

Rationale for dismissal Analysis
The UK Scheme being a system of smart cards while the Indian Scheme being a number linked to data in a centralized database This distinction is not entirely accurate, given that the UK’s Identity Cards Act, 2006 required that all collected data be stored in the proposed National Identity Register, against which the individual biometric cards would be verifiable.

Moreover, several experts have opined that a smartcard system is preferable, as security breaches will not compromise the entire database and theft of data will be limited to individual units.[50] A single breach of a centralized biometric database however would result in the exposure of data belonging to millions.

The UK Scheme was mandatory, with large data fields linked to multiple national databases, while the Indian Scheme is envisaged as voluntary, with smaller data fields and no inter-linkages In its current form today, six years after the report was submitted, these distinctions no longer hold good. The Aadhaar is far from solitary, but instead all pervasive and linked across the board to numerous databases.
The driving objectives behind the the UK Scheme was security concerns, while the Indian Scheme is driven by a welfare agenda Again, this claim is contestable, as the genesis of the UID project lay in national security concerns primarily relating to the desire of the first National Democratic Alliance government in India to curb illegal migration from Bangladesh, which was admitted by the UID Chairman Nandan Nilekani in a 2009 interview. Thus the founding sentiments were not entirely different. In any case, it is difficult to pinpoint the driving objectives behind the Aadhaar project in its current form, on account of the incessant expansion which has brought possibilities such as ‘surveillance’ into the fold of what was projected purely as a ‘welfare support system’.

 

 

3.                Whether the Aadhaar data is already compromised

3.1             Compromises at the developmental stage:

In 2010, at the inception of the Aadhaar project, contracts were awarded to three US based biometric service providers (“BSP”) for the ‘design, supply and implementation of the biometric solutions to be used by the UIDAI to set up the Aadhaar infrastructure’. These BSPs were: (i) L-1 Identity Solutions (“L-1”), (ii) Morpho-Safran (“Morpho”) and (ii) Accenture Services Pvt. Ltd (“Accenture”). A heavily redacted version of the contract between the Indian Government and L-1 Identity Solutions Operating Company Private Limited on August 24, 2010 (“Agreement”) for this purpose, was released by the UIDAI in response to an RTI petition and accessed by this researcher. The document throws up several issues worth consideration, such as:

3.1.1       The BSPs had access to unencrypted personal information of Indian citizens:

This is supported by the following provisions of the Agreement: (i) Clause 15.1 of Annexure A, which admits that the BSP may have access to personal information of a resident of India; (ii) Clause 4.1.1 of Annexure E, which confirms that the BSP had access to both biometric and demographic information for the purpose of de-duplication of the Aadhaar data; (iii) Clause 9.8.2 of Annexure E, which specifies that the BSP would have to fulfil data monitoring obligations using identity information in raw form; and (iv) Clause 3 of Annexure B, which specifies obligations on the BSP on account of the fact that it might, as part of its services under the Agreement, collect, use, transfer, store or process sensitive personal data of individuals.

3.1.2       That proprietary systems of the BSP may retain information unique confidential information of the Purchaser (UIDAI):

Clause 13.1 of Annexure A of the Agreement specifies that the rights in all pre-existing intellectual property (“IP”) of the BSP (including the proprietary algorithms) shall remain vested in the BSP, and this includes modifications or derivative works of such pre-existing IP. Accordingly, “… to the extent that a modification or derivative work made by L-1 Identity Solutions Operating Company or its consortium members contains unique confidential information of the Purchaser, then L-1 Identity Solutions Operating Company and its consortium members shall not further license or distribute such modification or derivative work to any other customer or third party without the Purchaser’s prior written permission.

Note that further information on the extent to which such unique confidential information of the UIDAI may be tied in with the IP of the BSP, could not be obtained as the UIDAI refused to divulge several annexures in the Agreement. This included the annexures relating to the technical bids, despite an order from the Chief Information Commissioner to release the same.

3.1.3       There was the existence of a conflict of interest between the BSP and the UIDAI:

Less than a month after the date of execution of this Agreement, the BSP in question, L-1 was acquired by Safran and merged with its subsidiary, MorphoTrust. Safran is a part government owned French defence company which acquired Morpho (another BSP) in 2009. Thus, the Aadhaar project was handed over to what was virtually a single entity with significant controlling interest by a foreign government. Moreover, numerous high ranking employees and directors on the board of these companies were senior officials in the defence and intelligence agencies of the United States and the United Kingdom.

Clause 23.1 (b) of Annexure A of the Agreement gave the Purchaser (UIDAI) the right to terminate the Agreement in the event that the BSP (or its team) is in a position of conflict of interest with the interests of the Purchaser. Yet, either through oversight or by design, this change in the ownership pattern of L-1 was not sufficient to trigger termination.

The investigation conducted by the magazine Fountain Ink into the linkage of the BSPs, foreign intelligence agencies and the possibility of their access to sensitive Aadhaar data is highly revealing. The contracts entered into by the UIDAI with these biometric vendors make it apparent that the BSPs conducted their functions as ‘independent and self-contained units, with negligible supervision’. The primary safeguards that were implemented were restrictions on physical removal of data and an audit trail of all unauthorized access, amongst other restrictions on things like internet access; inadequate to say the least. Even the devices that were used at the respective datacenter sites and UIDAI locations were to be provided by the BSP, including desktops, printers, tools and equipment etc.

“Hence it is not unreasonable to fear that the core biometric data of millions of Indian citizens could currently be in the hands of foreign third parties; even L-1 admits this. In its financial filings with the US Securities and Exchange Commission, L-1 disclosed that “the protective security measures used in these systems may not prevent security breaches, and failure to prevent security breaches may disrupt business, damage reputation, and expose L-1 to litigation and liability”.

3.2             Compromises at the operational stage:

A study by the researchers of the IIT Delhi concluded that the weakest link in the existing Aadhaar infrastructure was the point of collection, where a user’s biometric data could easily be stored through a compromised enrollment device without the knowledge of anyone involved. The level of certification of these devices is insufficient to guarantee safety, particularly at the hardware level. Thus, authentication user agencies, enrollment agencies, application service providers, KYC user agencies etc. could very well have access to the Aadhaar data, including core biometric information; the UIDAI itself has admitted an instance of this happening. While the UIDAI has specified mandatory security measures to be implemented from June 1, 2017, it is pertinent to note that this comes at a time when (i) over 114 crore Indians have already been registered and (ii) over 2 crore authentications are being conducted on a daily basis. Further, Aadhaar holders could use personal devices to initiate authentication requests (on the BHIM App for e.g., dealt with in greater detail below), which could include mobile phones running on unsecured hardware, which cannot possibly be certified by Government agencies.

“Unfortunately, the Aadhaar system seems to be running on faith rather than sufficient technical, legal and policy safeguards. The same faith that was extended by the UIDAI to foreign agencies at the stage of initiation of the Aadhaar project, as discussed in Section 3.1 above.”

We are thus left with the very real possibility that all the Aadhaar data currently presumed to be safe within the CIDR is already compromised, and divided up amongst domestic corporations, foreign spies and of course, various divisions of our Government. Hence it is essential to evaluate some of the potential consequences that could arise.

 

4.               Consequences of the Aadhaar Project:

4.1             Mass Surveillance:

A major criticism of the Aadhaar project is that its existing infrastructure is primarily a mass surveillance system. Such surveillance is facilitated by the following aspects:

4.1.1       The authentication records maintained in the CIDR allow surveillance

The UIDAI will always have at its disposal a real-time locational map of every transaction authenticated by an individual, given that the authentication record preserves a record of (i) the time of authentication, and (b) the identity of the requesting entity. This is more than sufficient to track the activities and whereabouts of an Aadhaar number holder, should the Government so wish. By examining the identity of the requesting entity and the time of the authentication request, it will be possible in a majority of cases to determine the location and activity of the authenticating individual. In effect, this transforms the CIDR from an ‘identity database’ to a ‘location register’ or an ‘activity register’ containing valuable meta data about an individual’s life. A 2011 study conducted on the possibility of determining private user information from anonymised location data showed that the publication of anonymised location data obtained through phone records could lead to a significant privacy risk, and even identification of individuals if combined with any other external data. Thus even the provision of aggregate information about people in a region or constituency may reveal specifics about individuals, particularly where such information relates to habitual human mobility. To put it simply, it is possible to identify and locate an individual based on the series of daily authentications requests initiated on his behalf.

4.1.2       The responses to authentication requests facilitate surveillance

The Aadhaar Act empowers the UIDAI to respond to an authentication request with a positive, negative, or ‘any other appropriate response sharing such identity information excluding any core bio-metric information’. Note that the scope of what would comprise an appropriate response has not clarified and is left entirely to the whims of the UIDAI. Further, ‘identity information’ is provided with an inclusive definition in the Aadhaar Act, which can be expanded by the UIDAI itself thereby permitting additional sensitive personal data to be revealed in response to an authentication requestThus, despite the restrictions on the disclosure of ‘authentication records’, it is possible that the UIDAI might see fit to include the ‘current location’ or ‘last known location’ of an individual within the scope of ‘identity information’.

For instance, consider the fact that facial recognition can easily be implemented off a single photograph, as indicated when the India Stack twitter account publicly feted a local start-up for having built a facial recognition system relying solely on Aadhaar data. Since the photograph of an Aadhaar holder is not included within the ambit of core biometric information, the UIDAI is permitted to respond to an authentication request by providing the photograph of the Aadhaar holder, thereby facilitating unauthorized identification and authentication. how photographs of Aadhaar holders may be disclosed and used for en masse surveillance.

Indeed, the intention of the Government seems to be to facilitate such widespread surveillance, which is borne out by specific modifications made to the erstwhile National Identification Authority of India Bill, 2010 (“NIAI Bill”). The NIAI Bill defined authentication to include ‘any appropriate response excluding any demographic and biometric information’, while the Aadhaar Act defines authentication to include ‘any appropriate response sharing such identity information excluding any core biometric information’.

To get a sense of how disturbing this is, consider that the primary evidence for the conviction of Rajat Gupta in the insider trading case, was meta data gleaned through phone records. When fully functional in the manner envisaged by the State, Aadhaar authentication records will contain meta data about a majority of the economic and social activities we undertake. Given the headwinds in the industry and the existence of the Aadhaar database, the prospect of such technology being used for similar purposes in India is not distant. Instances such as people being convicted on account of Aadhaar authentication records placing them close to the scene of a crime, and entire communities being placed under surveillance in the interests of national security, becoming the norm. In February 2017, a member of Parliament expressed fears that such technology and data would eventually be used by the Government of the day for “mass surveillance, ethnic cleansing and other insidious purposes”.

4.2     Commercial Exploitation:

John Dreze, in an article on diminishing privacy under the Aadhaar regime, states that the evolution of the powers of the UIDAI from the initial envisagement in 2010 indicates that “the leading lights of Aadhaar woke up to the business value of the database”; an argument supported by several factors such as (i) the appointment of Ernst & Young to identify potential business opportunities with regard to the Aadhaar data; (ii) the creation of the India Stack, with the objective of widespread private commercial use of the Aadhaar infrastructure; and (iii) an internal UIDAI document released in February 2016 which lists and encourages the use of Aadhaar infrastructure for commercial applications by e-commerce companies, banking organisations and even social media websites to reduce fraud and improve efficiency.

“Thus, it is evident that the Government intends to use Aadhaar data for far more than the welfare programmes it was initially intended to support. Such intense encouragement to the private sector to start accessing the Aadhaar database isn’t even necessary; for instance, e-commerce companies lose an estimated 4-5% of their total revenue on account of fraudulent orders. If all e-commerce transactions were linked to Aadhaar numbers, fraud instances would fall and thereby generate immense savings. On the other hand, it would help create thousands of private databases which permanently link every movement and action to an individual; a gross violation of privacy. Travel companies and credit card companies could exchange data to discover personal details of customers, and improve their generally invasive targeted marketing. Instances such as Target and Facebook targeting potentially pregnant women with contextual advertisements will only grow. Yet, the Indian Government is disregarding its role in facilitating such invasion of privacy.”

Consider the healthcare sector, a perfect example of how such commercialisation could affect an individual. Numerous moves have been made to link Aadhaar numbers to the medical records, including the refusal to treat patients at government hospitals without the Aadhaar, the National Health Policy 2017 requiring the use of Aadhaar linked medical data for development of welfare initiatives, and websites of government medical organisations actively promoting linkage of the Aadhaar to patient records. The initiative to unify patient medical records across the spectrum is a beneficial one, which has precedents in the US (American Reinvestment and Recovery Act, which seeks to establish the use of interoperable electronic health records) and the UK (Spine, which is an online information sharing initiative of the National Health Service).

“The successful establishment of such technology would go a long way in ensuring that medical information of patients is maintained and available for reference across healthcare providers, which would directly improve standards of care and effectiveness of medical treatment. However, this does not justify the linkage of medical data to every other aspect of an individual’s life, through the Aadhaar number, and can be achieved through other means. Also, the interest of the Government in such an initiative clearly goes beyond just improvements in accessibility of medical records, and is focused on the exploitation of such data for analytical purposes.”

The large scale analysis of the medical data of citizens by the Government has numerous potential benefits. It could empower the State to predict epidemics, counter the spread of diseases and plan national medical responses. Big data is changing the way healthcare is provided by helping healthcare businesses become more efficient and productive, something direly needed in the Indian context. However, the fallout of such a project will inevitably be the actual identification of patients through such data; which should be non-negotiable. Modern day analytics tools have shown how anonymised data sets with known datasets can often be combined to reveal exact identities; an example was a recent study conducted in the United State that showed how the combination of a medical database with a publicly available voter list made it possible to extract the health records of the Governor of Massachusetts. Thus, the aggregation or anonymization of data is no guarantee against identification, particularly when an Aadhaar number is linked to a medical outcome. Even the possibility of such patient identification should be sufficient to shut down usage and linkage of the Aadhaar for, inter alia, medical purposes.

In this context, the Electronic Health Record (“EHR”) Standards for India, 2016 makes it clear that the data contained in EHRs is owned by the patient and held in trust by the healthcare provider; yet this stipulation of ownership is negated by the fact that use and disclosure of protected and sensitive information of that patient is permissible without the consent of that patient where such information is anonymized (i.e. any personally identifiable information is removed). Healthcare providers are free to use such information (anonymized) for their commercial purposes, which could often include the direct sale of medical data to private data mining companies; something that is prevalent in the US and likely in India as well.Many companies now specialize in gathering information from hundreds of healthcare providers, as well as insurance records, lab test data, and even lifestyle information – the richer the collated data sets, the more valuable is the overall pool. Private equity and venture capital firms often pay huge amounts of money to access such intelligence in order to assess investment opportunities in the pharmaceutical sector, and pharmaceutical companies pay huge amounts of money for such data so as to be able to assess market potential for a new drug or design marketing campaigns to suit a target audience. Given that the leakage of sensitive medical data is commonplace in India both on the private sector front and from the government, steps need to be taken to protect medical data instead of linking them to other data sets.

“The fact remains that linking Aadhaar numbers to medical records opens up the possibility of creating super-profiles of patients, like Facebook profiles merged with travel records and linked to financial statements pooled with consumption patterns. The privacy of patients is a basic human right, long recognised and protected right in this country, and this is now being compromised by the Aadhaar linkage.”

The result of this could be large scale discrimination across industries: AIDS patients being refused access to a scarce drug on account of their pre-existing condition, or pregnant women being refused employment by a company seeking to the payment avoid maternity leave benefits. Most distressing however is the possibility that medical services are denied to people on account the deactivation of their Aadhaar number, an unreasonably wide power held by the UIDAI that is not subject to any oversight or supervision. It is not inconceivable to foresee situations where the Government of the day chooses to affect dissidents or persons considered to be undesirables, by merely deactivating their Aadhaar numbers and thereby cutting them off from essential services nationwide.

4.3     National Security Risk:

Given the increasing linkage of the Aadhaar number to other databases and personal information of the holder across the board, it becomes important to identify what exactly a hacker would know if he gains access to Aadhaar related information.

“Consider a successful and sustained attack on Indian cyber resources over a prolonged period of time, similar to that conducted by the Suckfly group. Such a hacker could glean information from Government websites, e-commerce companies, financial institutions, healthcare companies and even a last mile delivery service provider. Accordingly, the hacker would have information such as the Aadhaar number, the credit history, the purchase history, the medical records and the physical addresses of individuals; the fact that this has already happened in the Indian context is reiterated. By virtue of this data, the hacker would be able to identify the movements of citizens of interest, which enterprises are of national significance, and how essential Government services are dispensed across the country. Now consider the possibility that the hacker is in the employ of a terrorist organisation or a country with whom India is in conflict. Services could be shut down, critical infrastructure destroyed and citizens blackmailed.”

Further, our already insecure financial and payments systems are increasingly compromised by the introduction of the Aadhaar enabled payment systems (“AEPS”). An AEPS involves the usage of the biometrics of a customer to authenticate a financial transaction. The customer initiates the transaction by submitting her/his biometric information to a capturing device, which is then authenticated, post which funds are transferred from the bank account pre-linked to the customer’s Aadhaar number. The security risks posed by such a system, wherein the easy duplication of biometrics can lead to fraudulent transactions, is obvious. The en masse use of silicon film fingerprint copies to dupe fingerprint scanners used to screen candidates for the medical entrance exams in Madhya Pradesh is an example of how simple it would be to fraudulently initiate transactions through AEPS technology.

“In December 2016, Qualcomm (one of the world’s largest chipset makers) stated that none of the digital wallets or payment applications in India are fully secure as they do not use hardware level security. It is not impossible for a terrorist organisation or an enemy state to exploit this.”

The Aadhaar system could also affect the functioning of our democracy, making it prone to external influence. Consider the recent reports of data analytics firms having allegedly influenced the outcome of the US Presidential Elections and the Brexit Referendum. The contention is that analytics firms employed by campaign bodies sourced / purchased personal data of potential voters and used the analytics results to specifically target them political messaging designed to persuade a certain electoral response. Similar methods could be used by political parties in power in India to target voters with tailored campaigning and beneficially polarizing communications. There are already instances of this being perpetrated in the Indian context, with the IT wings of several large parties focusing solely on the manufacture of news to whip up potential vote banks into a polarized frenzy. This is made possible on an unimaginably large and accurate scale by the Aadhaar, thereby negating the concept of a fair and fair election in the country.

“To reiterate a point made earlier, the Indian government is writing the metadata biography of every Indian using infrastructure that was built by foreign players, and placing it in a supposedly secure database while intentionally providing multiple parties with various means and points of access. This is why our national security is at risk on account of the Aadhaar project.”

 

Conclusion

The analysis above throws up several questions about the manner in which the Aadhaar project was developed and implemented, that need answering:

Firstwhy was the Indian Government so eager to press ahead with the development of the Aadhaar infrastructure despite the lack of legal, technical and policy safeguards?

Second, what could be possibly be so urgent about nationwide adoption of the Aadhaar number that the Indian Government is willing to let children go hungry, pensioners go unpaid and bonded labourers go unassisted in its desperation to enforce compliance?

Thirdwill the Aadhaar project be abandoned or substantially modified if it is conclusively proven that the Aadhaar data has been compromised?

Fourthdo financial savings (currently claimed to be Rs.49,000 crores) justify and override the definite security breaches that have occurred in the Aadhaar lifecycle?

Fifthwhy does the Indian Government take action against persons exposing the security flaws in the Aadhaar infrastructure?

If the Indian Government could provide clear and honest answers to each of these questions, the need for restructuring or abandonment of the Aadhaar project would be self-evident. Unfortunately, this scenario is unlikely, as the ones most affected by the privacy violations and security flaws of the Aadhaar project are unable to imagine the risks and thus unwilling to protest strongly enough. After all, the ‘physical design’ of the mass invasion of privacy is still invisible to ‘we, the people’.

 

Varun Mathew is a Delhi based lawyer. He specialises in Information Technology and Cyber Security laws. 

Photograph- “Parallax View ” mixed media, Sanjeev Khandekar with Vaishali Narkar , 2009