The article in Tribune by a journalist titled “Rs 500, 10 minutes and you have access to billion Aadhaar details” has created a flutter in the Government Circles. UIDAI has promptly come out and filed an FIR. The incident could seriously affect the cause of the Government in its defense of Aadhar system in the Supreme Court.
Leaving all the hype aside, it must be clarified that Aadhaar has long back lost the ability to protect the information of the Aadhaar holders and it is wrong to expect that it can be secured now.
What the incident has indicated is that the Aadhar information was accessible without the OTP being provided by the Aadhaar holder. We are yet to know if the biometric has been compromised.
By passing OTP is not a technological marvel. It could either happen by tricking the Aadhaar server or intercepting the mobile communication at the network level. It is also possible that the data has been acquired by one of the licensed AUA/KUAs who has created a parellel data base from which this information is now being served.
Even if UIDAI successfully prosecutes some persons, it will not be able to bring back the confidentiality of the information.
We should therefore forget protecting the information of the Aadhaar holders linked to a given card number. Presently the Aadhaar card is used like a “Identity card” and in most places such as hotels, they keep a photocopy of the card for their records. Such practice allows the information to float around in a number of places and it is impossible to protect the information.
Since Aadhaar number is meant to be used at a number of outlets including the merchants who may use AEPS, it is impossible to prevent a query being sent to Aadhaar server which returns the information which can be used to create a parallel data base. This is like many e-commerce portals which keep the credit card records of the customers under the pretext that it will speed up the use in future transactions. Just as these transactions are only protected with the entry of CVV, Aadhaar use is protected only with the use of the OTP. Since OTP can be bypassed, Aadhaar can never in the future protect the information of card holders being accessed by third parties including those with criminal intentions.
Any pretension otherwise is not credible.
We need to therefore restrict our efforts to protecting the “Biometric”. If the biometric is also compromised then the Government will have to completely scrap the use of Aadhaar.
As a security observer with knowledge of the Indian political scenario, I anticipate that several opposition political parties are already working on how to compromise Aadhaar system so that Mr Modi can be discredited. If they succeed, this will be a tool in their political game.
In Risk management, “Risk Avoidance” is also a strategy. Under this principle, it is necessary for the Government to ensure that use of “Biometric” authentication for simple things such as making a payment in a merchant establishment must be stopped. The use of Biometric based KYC should also be stopped forthwith since we cannot trust the biometric readers of the users.
Secondly, as a commercial proposition, I have advocated and continue to advocate the use of “Regulated Anonymity Principles” which alone can help us retrieve the situation from the current mess. It is not possible to delve into the details of such a system since if the Government is unable to understand the risks and decide to mitigate/eliminate them, there is no reason why we should discuss the details in public and help criminals to be prepared to counter any further security measures that may be thought of by UIDAI.
It is unfortunate that UIDAI is acting like “Indira Gandhi of the Emergency times” and unable to shed their ego, refusing to believe warnings held out and and adamant not to change tracks when it is warranted. We should not be surprised if the fate of Indira Gandhi may await even the UIDAI in the days to come. ..
The only hope… as always, is that there is one person called Modi…who may…hopefully….see the truth and take corrective action….
Naavi
For security reasons, linking of Aadhar to bank accounts, mobile phone connections, public benefit schemes, Demat/Mutual fund investments, Insurance policies, etc., I wonder why the govt does not provide a portal on UIDAI itself to do so ?
Such a facility would prevent Aadhar details going into the hands of the lower level staff of such agencies and the linking would occur electronically directly with their respective company servers.
Pingback: It is Y2K moment again in India, with Virtual Aadhaar ID - Naavi.org