Centre for Internet & Society

Anshuman Jaswal form Kapronasia shares insights into the security and privacy concerns related to Aadhaar, which are often overlooked

This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.

The Digital India project initiated by the Government of India has made significant headway in the last few years. As part of this project, the Unique Identification Authority of India (UIDAI) has presided over the allotment of unique identification numbers to all Indian residents since 2009. Currently, more than 1.1 billion Indian citizens and residents have Aadhaar IDs, making this the largest exercise of this kind the world has ever seen. There are many potential benefits of such a scheme, but there are also concerns and pitfalls. Besides the advantages, this article also focuses on some of the security and privacy concerns related to Aadhaar, which are often overlooked.

Benefits of Aadhaar

India is the second most populous nation on earth, with more than 1.3 billion people. Having a unique identification system in place would be a fillip for the government, as it would allow government schemes for poverty alleviation and improvement in health and educational well-being to be better targeted. For example, if a needy person’s bank account is linked to their Aadhaar biometric ID, then it would be easier for the government to provide funds to the individual without using any intermediary. In a country struggling with corruption throughout the government machinery, being able to reach the target audience directly is a significant benefit. Similarly, if both the bank accounts and the tax IDs of individuals are linked to the Aadhaar ID, then the government can trace the income and expenditure of its citizens, thereby obtaining vital information that would allow it to counter money-laundering and the shadow economy.

Security challenges are paramount

Creating a monumental technology infrastructure to meet the requirements of a population of more than 1.3 billion people does not come without its problems. Many people have questioned the wisdom of concentrating so much critical personal information in a government platform that is not known for having a robust security framework. There have been two prominent instances in which the Aadhaar database has been compromised.

In May 2017, the Bengaluru-based Centre for Internet and Society (CIS) alleged that there had been an illegal breach of the database, and Aadhaar identity numbers of more than 130 million people had been leaked online, along with their dates of birth, addresses, and tax IDs (PAN). It is believed that the revealed information did not include the biometric identification of the people affected, but the breach was significant nonetheless as it exposed millions of people to possible fraud.

The response of the UIDAI was also insightful, because it asked the CIS to reveal on which servers the data was stored, and who might have been responsible for the breach. The UIDAI response quoted the relevant laws, namely sections of the Information Technology Act, 2000 and the Aadhaar Act, underlining the liability under law. The aggressive approach of the UIDAI forced the CIS to retract some of its claims, but then the focus of the discussion was shifted from the loss of critical information to the semantics of the claims of CIS. Instead of calling the breach a “leak”, after receiving the letter from UIDAI, CIS stated that it was merely an “illegal disclosure”.

The second instance of a breach occurred between January to July 2017, when an IT expert hacked into the Aadhaar-enabled e-hospital system created under the Digital India project of the Government of India. His intention was to access the central identities data repository of UIDAI for verification of Aadhaar numbers, to be used for an ‘eKYC Verification’ app created by him. The UIDAI database gave him access considering that it was the e-hospital system that was requesting the Aadhaar identity verification. The hack shows that the security protocols of the UIDAI require significant overhaul before it can be trusted to protect the hundreds of millions of digital identities in its database.

Aadhaar and the right to privacy

The Indian constitution does not mention a right to privacy. This has been raised as a serious concern by the critics of Aadhaar, since there is no related privacy framework that outlines how the government can use the Aadhaar information. However, the Supreme Court of India addressed some of these concerns when it stated, in August 2017, that privacy is a fundamental right under the Constitution with reasonable restrictions. It was a landmark decision in the Indian context, since it could affect the way in which the unique identification data is collected, and especially the means for which it is used. For example, in the past, the government has mandated that Aadhaar data to be linked to citizens’ information from bank accounts, tax filings, medical records and phone numbers. Once this is achieved, the government would have unregulated access to such information. There is currently no statute or legal precedent to guard against abuse or to allow an individual to file a complaint.

The Supreme Court decision gives encouragement to citizens and institutions that are concerned about the rights of ordinary individuals, while also laying the groundwork for further work that needs to be done to create a robust legal framework in this field.

Read the original blog post published by the Paypers here