Despite assurances, concerns prevail over Aadhaar security

Despite assurances, concerns prevail over Aadhaar security

* The Delhi Police Crime Branch register an FIR against Skoch Group chairman Sameer Kochhar after he wrote that Aadhaar can be hacked, raising questions on the security of Aadhaar platform which the government is utilising.

* A news channel reporter was booked  for airing a news report exposing that two enrolment numbers can be obtained by submitting the same set of biometrics.

* Former India cricket captain Mahendra Singh Dhoni’s Aadhaar details were leaked and put in public domain through a Twitter handle of a Central Services Centre in Ranchi.

Despite the government making the use of Aadhaar mandatory for availing growing number of different schemes and services, the Ministry of Electronics and Information Technology (MEIT) has not been able to fully mitigate the concerns on individual privacy and national security given the critical mass data available with the Unique Identification Authority of India (UIDAI) which administers Aadhaar.

Barring statements such as: “don’t demonise Aadhaar” or “Aadhaar is very secure,” which are repeated after every single instance of breach of confidential information, the UIDAI is still to demonstrate whether inbuilt firewalls are alerting their security managers before details get public. And in case there is a loophole in the system, which can be more than one if social media is to be believed, is there any attempt to bridge that?

Since the UIDAI is the custodian of individuals’ personal data, it will not be out of place to ascertain, for example, whether the authorities came to know that M S Dhoni’s Aadhaar details were leaked before his wife Sakshi Singh brought it to the notice of IT Minister Ravi Shankar Prasad. The UIDAI though blacklisted the centre concerned for 10 years for the illegal act, it did not offer any clue on the existence of an in-house corrective mechanism.

Moreover, while the passwords or pin numbers can be changed in cases of hacked email accounts or debit and credit cards, the fingerprints and iris image of Aadhaar can’t be altered. Adding to the apprehension is an admission from a scientist of MEIT, Archana Dureja, who officially acknowledged in a March 25 letter that confidential personal information has been put online which is an offence under the Aadhaar Act.

“There have been instances wherein personal identity or information of residents, including Aadhaar number and demographic information and other sensitive personal data such as bank account details etc, collected by various ministries/departments, state government departments, in the administration of its various welfare schemes etc, has been reportedly published online and is accessible through an easy online search,” Archana wrote to secretaries and chief secretaries of states.

Sources in the ministry agree with the need to have such posers at UIDAI to make the system foolproof as they argue that more than pilferage of individual information, national security is at stake. With the world going digital, securing mass data pool is as valuable and strategic as the crucial deployment of military hardware especially since the world is looking up to India for offering the biggest global market for business, said ministry sources.

The use of Aadhaar in a controlled atmosphere is more secure than opening up its use in an unrestricted market, ministry sources argued. The potential of demographic and biometric information of individuals in future economic warfare could be frightening.

The UIDAI recently responded to an RTI application, informing that its offices had received 1,390 complaints against enrolment agencies during a period of six years. These complaints were received between September 29, 2010 — when Aadhaar was launched, till October 31, 2016. During this period, more than 80% of all the Indian residents were enrolled.

A total of 556 enrolment agencies and 125 registrars are working with the UIDAI which also disclosed that its regional office in Bengaluru had sought police probe into three complaints received there.

‘Motivated campaign’
Nandan Nilekani, who had conceived the idea of Aadhaar as the first former chairman of UIDAI, opines that the news reports raising questions on the vulnerability of the digital platform is nothing but a “motivated campaign.” He said in a recent interview that “to single out and demonise Aadhaar when we have an across-the-board issue with mobile phones, voice recognition systems, CCTV cameras, Internet of Things etc, that is a motivated campaign.”

He also described Aadhaar as very secure. “The agency collecting the data has no access to it as it uses the most advanced encryption technology. The data packet is encrypted at source... the level of encryption that Aadhaar has is way above any other system today, including in the private sector. Plus, the security keeps getting enhanced. Nobody has given me a single example of data theft from Aadhaar. Show me one. Let someone say they took out this packet and opened it. He can’t. It’s all this hand-waving kind of stuff. I can categorically say that it is the most secure system in India and among the most secure systems in the world,” he emphatically argued.

The Narendra Modi government stated that privacy laws have been tightened in the Aadhaar bill much more than the legislation drafted by previous UPA regime. This was to allay fears of critics and opposition parties which had strong doubts on privacy safeguards, possibility of surveillance and that the act took away individual control on information.

Globally, the grey cyber market is working overtime to break into secured biometric system of authentication of information. Two years ago, the United States Office of Personnel Management witnessed heist of 5.6 million fingerprint records that forced the most developed nation to come up with a defence to check cyber attack using fingerprint data.

By many counts the government's intention of using Aadhaar for quicker, cleaner and efficient delivery of subsidies to beneficiaries is justifiable but equally, there is a requirement for a comprehensive privacy law in the country to address the adverse fallout of impatient people’s quest for the time-defying technology. Some of that debate is happening in the Supreme Court which is hearing a batch of petitions relating to Aadhaar and privacy.
DH News Service