India’s Aadhaar programme, which has for years now been criticised due to its centralisation of sensitive biometric information, is now under fire from a different quarter. This time the possibility of a breach into the Aadhaar system has emerged from the end point—the enrolment system that was deployed across the country and managed by private entities responsible for collecting people’s biometric and demographic information.
An investigation by Huffington Post has revealed a vulnerability created by running a patch derived from an earlier, less secure version of the software. The vulnerability targets essential technical oversight for enrolment officers, allowing an individual to spoof the software’s login with a high quality photograph instead of an iris scan.
The patch also disables the software’s geolocation filters, which tether the system to pre-specified enrolment centres only. The consequence: enrolment officers (and their proxies) are now able to log in and run multiple versions of the software at the same time and at unauthorised locations.
This ability of unauthorised users being able to access the enrolment system has in turn opened up three possibilities. First, a resident with an existing Aadhaar number can seek to obtain a duplicate Aadhaar for fraudulent activities. Second, the information of an existing Aadhaar user may be altered by an unauthorised enrolment operator. Third, a non-resident may obtain an Aadhaar number by submitting forged/falsified documents to one of these unauthorised enrolment agents.
Predictably, the Unique Identity Authority of India has responded to the news of this vulnerability, calling it baseless and a product of “vested interests.” The UIDAI addresses the first of the three possible cases of misuse by clarifying that no person with an existing Aadhaar number will be able to obtain a duplicate number due to the rigorous de-duplication checks that have been built into the system. This seems to be true. As per submissions made by the CEO of UIDAI before the Supreme Court, the de-duplication system has flagged and rejected 6.91 crore enrolment requests as of March 21 this year. These duplicate requests are from residents that have mistakenly reapplied while awaiting the assignment of an earlier enrolment request and from those seeking to defraud the system.
The UIDAI, however, does not clarify the second and third possibilities where information pertaining to an existing Aadhaar user may be illegitimately modified or where a non-resident is able to obtain a new Aadhaar number. Both seem possible on account of the dilution of the technical safeguards—the iris scan and GPS tethering—that the authority had introduced for enrolment operators.
At least two incidents over the past year lend credence to this possibility. In July 2017, Odisha police apprehended an Uzbek woman, later found to be part of an illegal sex racket, in possession of a valid Aadhaar card. Her name and address, however, had been falsified. Another case, involved a Pakistani national, an ISI operative found in possession of details about military troop movements, who had obtained a valid Aadhaar card under a false name and a non-existent address.
Both cases point to the existence of illegitimate enrolment operators that for a fee, are able to obtain legitimate Aadhaar numbers, based on unverified or outright false information, for individuals involved in questionable activities. Admittedly, the UIDAI has so far banned nearly 49,000 enrolment centres and has even begin criminal action against some. The fact, however, remains that the authority may not have a clear tally of how many fraudulent Aadhaar numbers are already in circulation. The Authority, likely also does not know how many of its current enrolment centres have been compromised. As the Huffington Post reports, some of these former enrolment operators have partnered with officials working in authorised centres to complete the registration process for a fee.
These revelations reflect a breakdown in the security architecture of the Aadhaar ecosystem that is emanating not merely from a technological vulnerability but, as is the case with many cyber incidents, a human vulnerability.
The Aadhaar programme’s biggest selling point was the near universality of an identity system that did not suffer from the widespread fraud that India’s other identity systems suffer from. This investigation has revealed deep fault lines in that claim. The devolution of the enrolment process to unreliable private operators since 2010 (which has seemingly been rectified) has created a system that, while not succumbing to fraud through duplication, has nonetheless raised questions about the integrity of the database.
The UIDAI, while harping on the watertight infrastructure of the Aadhaar’s biometric database, has seemingly ignored the fact that the introduction of false information into the database also interferes with integrity of the system and negates trust in the system—something that was already on shaky ground. Because of the pervasiveness of the Aadhaar identity and reliance on the Aadhaar number for activities ranging from obtaining a passport to opening a bank account, this has huge implications for India’s national security.
The UIDAI, has declined information requests about the issuance of fake and duplicate Aadhaar cards, citing national security concerns. It is arguable, however, that the true threat to national security emerges not from the disclosure but from the lack of awareness about the extent to which the identity system is already compromised. As with any sophisticated cyber attack, the true threat lies not with the vulnerabilities the UIDAI is able to anticipate and protect against but from the vulnerabilities that the agency refuses to acknowledge.
It is well past time that the UIDAI drop its current strategy of denial, defence and deflection and rather adopt a clearer accountability framework that in addition to boasting the success of the Aadhaar programme also addresses the vulnerabilities in its security architecture. Any responsible data collector, must be subject to external audits and transparency reporting requirements. As an entity that collects and processes data for delivery of public services, the UIDAI must at the minimum yield to similar accountability mechanisms that other private sector technology companies are subject to.
(Bedavyasa Mohanty is an associate fellow with Observer Research Foundation’s cyber initiative. Views are personal)
Comments
0 comment