UIDAI’s FAQs published in national dailies present a very narrow perspective on Aadhaar and still leave a lot of questions unanswered

The UIDAI on 3rd April published a list of Frequently Asked Questions in national dailies, in an effort to address concerns with Aadhaar.


The UIDAI on 3 April published a list of Frequently Asked Questions in national dailies, in an effort to address concerns with Aadhaar. The issue that arises with some of the statements made in these FAQs are not so much that they are incorrect, but that they present an extremely narrow perspective of Aadhaar, and only portray Aadhaar as it is intended to be on paper, as opposed to the actual situation.

Here, some of the statements of the UIDAI in these FAQs are looked at.

 UIDAI’s FAQs published in national dailies present a very narrow perspective on Aadhaar and still leave a lot of questions unanswered

File image of Aadhaar cards. CNN News 18

UIDAI stores minimal data

The UIDAI lists the following data as that collected and stored in its database, namely the CIDR — name, address, gender, date of birth, ten fingerprints, two iris scans, photographs, mobile number and e-mail. While this is the list of data specified in the Aadhaar Act to be collected, i.e., biometric and demographic information, the list excludes metadata, the collection of which is authorised by the Aadhaar regulations themselves (Regulation 26 of the Aadhaar (Authentication) Regulations).

Aadhaar is not a profiling tool

Further, they state that the UIDAI does not collect data like bank accounts, shares, mutual funds, financial and property details, health family records, caste, religion, education, etc.

This does not, however, take into account related databases like the State Resident Data Hubs (SRDH), which are said to be repositories of UIDAI data. Security researchers have reported SRDHs to provide 360-degree profile of individuals — including all UIDAI data, data like driving license numbers, passport numbers, updates on location based on transactions, family and household information, and so on. A statement that Aadhaar is not a profiling tool needs to take into account such Aadhaar-enabled profiling.

A man goes through the process of eye scanning for the Unique Identification (UID) database system, also known as Aadhaar, at a registration centre in New Delhi, India, January 17, 2018. Picture taken January 17, 2018. REUTERS/Saumya Khandelwal - RC1F67907F80

A man goes through the process of eye scanning for the Unique Identification (UID) database system, also known as Aadhaar, at a registration centre. Image: Reuters

The UIDAI further states that Section 32(3) of the Aadhaar Act 2016 specifically prohibits UIDAI from controlling, collecting, keeping or maintaining any information about the purpose of authentication either by itself or through any entity. While this section is true, it still does not take into account how entities like SRDHs were established under the law.

Aadhaar data has never been breached

The UIDAI’s response to the question of whether Aadhaar data has been breached is its standard response that the Aadhaar database has never been breached. This statement, again, presents an extremely narrow perspective on Aadhaar security. Firstly, the Tribune report showed that Aadhaar data could be withdrawn from the Aadhaar database itself. This is very much a breach of the Aadhaar database, even if it wasn’t a large-scale one, or that biometrics were not affected.

Secondly, the dangers to Aadhaar data do not arise from a breach of the CIDR only. There are multiple sources of Aadhaar data — be it data with governmental websites, private entities collecting Aadhaar data, or various apps using Aadhaar. The UIDAI, in fact, admitted in yesterday’s hearings that AuAs, KuAs and ASAs are required to log data which includes Aadhaar numbers and other authentication information. The data at all these levels is very much at risk.

For instance, the UIDAI itself admitted to disclosure of Aadhaar data by 200 government websites, and security researchers recently reported flaws in the mAadhaar app which risked the linked databases and user data.

Reports of Aadhaar breaches are misreporting

Further, the UIDAI dismissed many of the news stories on Aadhaar data breaches as misreporting. Given that the UIDAI usually issues statements immediately, dismissing such media reports, it is unlikely that the news reports were first investigated and verified. Even in the Tribune case, the UIDAI had first dismissed the story as misreporting and denied the breach and then went on to file an FIR against the reporters, in the name of investigating the matter.

A woman goes through the process of finger scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre in New Delhi, India.  Image: Reuters

A woman goes through the process of finger scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre in New Delhi, India. Image: Reuters

Moreover, researchers have reported that despite attempts to approach the UIDAI or other authorities to inform them of a vulnerability or breach, no action was taken against it till the report was published in the media (such as the Indane leak).

Linking of Aadhaar with bank accounts will enable fraudsters to be located and punished

This is the statement issued by the UIDAI on the advantages of linking Aadhaar to bank accounts — that this will enable fraudsters to be located and punished. It is unclear how exactly this is possible. Several bank accounts have been hacked and emptied through various means, such as this report of several Aadhaar based frauds in public sector banks, or this UPI and Aadhaar based scam conducted on the pretext of Aadhaar-PAN linkage. Many of the fraudsters have not been caught.

Bank accounts are more secure because of Aadhaar linking

This statement is untrue, given that the Aadhaar linking of bank accounts has provided fraudsters with an extremely simple method of hacking into accounts. A simple method revealed by the scams reported is of fraudulently obtaining duplicate sim cards or changing Aadhaar registered mobile numbers, downloading a UPI based app, and simply withdrawing all the money from the linked bank accounts.

Aadhaar FAQ.

Aadhaar FAQ advert published in national dailies by the UIDAI

No one can hack into bank accounts with Aadhaar number alone

This statement is true, but only to the extent that hacking into a system with an Aadhaar number ALONE, is not possible. This statement does not take into account the risk the Aadhaar number poses in combination with other information so easily available or obtainable.

The example given above, for instance, clearly indicates how the Aadhaar number, in combination with other data, can easily be used to hack into accounts. Moreover, data like passwords, PINs, etc., are easily available with cybercriminals from data dumps on the dark web. These data dumps are also including biometric information, given its increasing significance.

No one is being denied services due to Aadhaar

On the question of Aadhaar-based exclusion, the UIDAI made its standard statement; quoting rules, on paper, which prohibit the denial of services. The problems on the ground, however, cannot be assessed by looking at the law. There are several reports of Aadhaar-based exclusion, starvation deaths due to denial of rations and denial of pensions being only some of the instances. The failure of PoS devices in authenticating is another major concern. The Supreme Court itself has expressed concerns with the Aadhaar-based exclusion on the ground.

Even looking at the law itself, Section 7 provides only two options — to get benefits, a person must either have Aadhaar or have applied for Aadhaar. It doesn’t take into account persons who have chosen not to acquire Aadhaar, a right which they have till the Supreme Court passes its final verdict. For instance, in the Aadhaar hearing, one petitioner reported denial of admission to the school for his son because he and his family chose not to enroll in Aadhaar. The Aadhaar enrolment forms themselves, after all, cite that Aadhaar enrolment is ‘voluntary’. In such a case, alternative arrangements need to be made for people choosing not to have Aadhaar.

No one can store or use biometrics

There have been reports proving this statement to be untrue, such as the biometric replay attacks, and the report of shopkeepers swindling rations after reporting authentication failures to the people. There is, additionally, the problem of fraudsters using duplicate software, skimmers and other technical methods to collect biometric data.

Aadhaar inspires more trust and confidence than any other identity document in India

Reuters

Reuters

This is another questionable statement by the UIDAI, which goes on to describe Aadhaar is the most preferred identity document in India. The true statement is probably that, by virtue of Aadhaar being made mandatory under various notifications under Section 7 and Section 57 of the Aadhaar Act, Aadhaar is (or will soon be) the only accepted identity document in India.

It has been pointed out several times that unlike with Aadhaar, for other identity documents such as a passport, there are actual physical verifications that take place, such as of a police visit to verify residence. However, none of these verifications is conducted with Aadhaar. In fact, the petitioners in Tuesday’s Aadhaar hearing questioned whether any verification was done to verify the 182 days residence requirement, or to verify whether a person was an illegal immigrant or no. The UIDAI’s only response to this was that those enrolling signed a declaration that they were so resident. This indicates that no further verification was done.

In the absence of suitable verification, and coupled with the issues of biometric authentication such as probabilistic and inaccurate matching, it is, therefore, unlikely that it is as trustworthy a document as the UIDAI claims. Further, there are also reports of fake and duplicate Aadhaar cards being issued.

People advised to file complaints

Lastly, the FAQs offer filing complaints with higher authorities as a solution to Aadhaar-based problems. In the ongoing Aadhaar hearings, the UIDAI cited the lack of complaints filed with it as a factor in its favour. Given the huge masses of people don’t even have a proper understanding of the digital world, they are unlikely to have the knowledge or the means to approach authorities to complain or resolve their issues.

When asked in Tuesday’s hearings if the UIDAI was aware of how many of the authentication failures resulted in a denial of services, the UIDAI indicated that it did not have this information. Instead of quoting the lack of complaints as proof of a lack of issues, the UIDAI needs to actively seek out and address issues of denial of services, etc. To start with, the UIDAI needs to investigate reports of such issues instead of simply denying them.

The Bench stated that the poor had an equal right to privacy.  Reuters.

The Bench stated that the poor had an equal right to privacy. Reuters.

Quoting rules does not alleviate concerns

Such denial of issues with Aadhaar and quoting rules does little to alleviate people’s concerns with Aadhaar. The UIDAI would go much further with inspiring confidence in Aadhaar and its security, by showing an active and ongoing interest in discovering and resolving the issues with the Aadhar ecosystem. Vulnerabilities and risks in a large scale digital system like Aadhaar are inevitable. Instead of working with such issues, to turn a blind eye to them, will not ensure better security.

(Note - The content of the FAQs is the same as that published earlier in January).

Here are the daily reports from the Aadhaar Supreme Court hearing

Why SC needs to look into technical evidence of Aadhaar’s surveillance capabilities

Lack of governmental ownership of CIDR’s source code can have serious consequences

Will State give citizens rights only if they agree to be tracked forever, asks lawyer Shyam Divan

Coalition for Aadhaar: A collective of private companies wants to ensure that Aadhaar ID and related services continue to be offered

Petitioners argue on centralisation of data and challenge Aadhaar’s claims on savings

Petitioners argue for a voluntary ID card system that does not collect user data

Petitioners argue that receipt of govt benefits cannot be at the cost of compromising fundamental rights

Aadhaar is architecturally unconstitutional, argue the petitioners

Petitioners argue that Aadhaar violates dignity by objectifying and depersonalizing an individual

Petitioners seek compensation for starvation deaths and extension of March 31st deadline

Section 7 exception in Supreme Court’s interim order greatly affects people’s constitutional rights

Entire Aadhaar project is beyond the stated objectives of Aadhaar Act, argue petitioners

Petitioners conclude their arguments on 'the number of the beast' Aadhaar, highlighting various issues

Aadhaar hearing: Political liberties cannot be foregone for economic and social justice, states the Bench

Aadhaar hearing: UIDAI’s presentation discusses Aadhaar enrolment, updation and authentication processes in detail

Aadhaar hearing: Supreme Court expresses concerns with data breaches, Aadhaar security and profiling

Aadhaar hearing: Petitioners question UIDAI on verification of residency requirement, de-duplication rejections and authentication failures

 The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.


Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.