Asheeta RegidiApr 05, 2018 16:44:37 IST
The UIDAI on 3 April published a list of Frequently Asked Questions in national dailies, in an effort to address concerns with Aadhaar. The issue that arises with some of the statements made in these FAQs are not so much that they are incorrect, but that they present an extremely narrow perspective of Aadhaar, and only portray Aadhaar as it is intended to be on paper, as opposed to the actual situation.
Here, some of the statements of the UIDAI in these FAQs are looked at.
UIDAI stores minimal data
The UIDAI lists the following data as that collected and stored in its database, namely the CIDR — name, address, gender, date of birth, ten fingerprints, two iris scans, photographs, mobile number and e-mail. While this is the list of data specified in the Aadhaar Act to be collected, i.e., biometric and demographic information, the list excludes metadata, the collection of which is authorised by the Aadhaar regulations themselves (Regulation 26 of the Aadhaar (Authentication) Regulations).
Aadhaar is not a profiling tool
Further, they state that the UIDAI does not collect data like bank accounts, shares, mutual funds, financial and property details, health family records, caste, religion, education, etc.
This does not, however, take into account related databases like the State Resident Data Hubs (SRDH), which are said to be repositories of UIDAI data. Security researchers have reported SRDHs to provide 360-degree profile of individuals — including all UIDAI data, data like driving license numbers, passport numbers, updates on location based on transactions, family and household information, and so on. A statement that Aadhaar is not a profiling tool needs to take into account such Aadhaar-enabled profiling.
The UIDAI further states that Section 32(3) of the Aadhaar Act 2016 specifically prohibits UIDAI from controlling, collecting, keeping or maintaining any information about the purpose of authentication either by itself or through any entity. While this section is true, it still does not take into account how entities like SRDHs were established under the law.
Aadhaar data has never been breached
The UIDAI’s response to the question of whether Aadhaar data has been breached is its standard response that the Aadhaar database has never been breached. This statement, again, presents an extremely narrow perspective on Aadhaar security. Firstly, the showed that Aadhaar data could be withdrawn from the Aadhaar database itself. This is very much a breach of the Aadhaar database, even if it wasn’t a large-scale one, or that biometrics were not affected.
Secondly, the dangers to Aadhaar data do not arise from a breach of the CIDR only. There are multiple sources of Aadhaar data — be it data with governmental websites, private entities collecting Aadhaar data, or various apps using Aadhaar. The UIDAI, in fact, admitted in yesterday’s hearings that which includes Aadhaar numbers and other authentication information. The data at all these levels is very much at risk.
Reports of Aadhaar breaches are misreporting
Further, the UIDAI dismissed many of the news stories on Aadhaar data breaches as misreporting. Given that the UIDAI usually issues statements immediately, dismissing such media reports, it is unlikely that the news reports were first investigated and verified. Even in the Tribune case, the UIDAI had first dismissed the story as and then went on to file an in the name of investigating the matter.
Moreover, researchers have reported that despite attempts to approach the UIDAI or other authorities to inform them of a vulnerability or breach, no action was taken against it till the report was published in the media (such as the ).
Linking of Aadhaar with bank accounts will enable fraudsters to be located and punished
This is the statement issued by the UIDAI on the advantages of linking Aadhaar to bank accounts — that this will enable fraudsters to be located and punished. It is unclear how exactly this is possible. Several bank accounts have been hacked and emptied through various means, such as of several Aadhaar based frauds in public sector banks, or conducted on the pretext of Aadhaar-PAN linkage. Many of the fraudsters have not been caught.
Bank accounts are more secure because of Aadhaar linking
This statement is untrue, given that the Aadhaar linking of bank accounts has provided fraudsters with an extremely simple method of hacking into accounts. A simple method revealed by the scams reported is of fraudulently obtaining duplicate sim cards or changing Aadhaar registered mobile numbers, downloading a UPI based app, and simply withdrawing all the money from the linked bank accounts.
No one can hack into bank accounts with Aadhaar number alone
This statement is true, but only to the extent that hacking into a system with an Aadhaar number ALONE, is not possible. This statement does not take into account the risk the Aadhaar number poses in combination with .
The example given above, for instance, clearly indicates how the Aadhaar number, in combination with other data, can easily be used to hack into accounts. Moreover, data like passwords, PINs, etc., are easily available with cybercriminals from data dumps on the dark web. These , given its increasing significance.
No one is being denied services due to Aadhaar
On the question of Aadhaar-based exclusion, the UIDAI made its standard statement; quoting rules, on paper, which prohibit the denial of services. The problems on the ground, however, cannot be assessed by looking at the law. There are several reports of Aadhaar-based exclusion, due to denial of rations and being only some of the instances. The in authenticating is another major concern. The Supreme Court itself has expressed concerns with the Aadhaar-based exclusion on the ground.
Even looking at the law itself, Section 7 provides only two options — to get benefits, a person must either have Aadhaar or have applied for Aadhaar. It doesn’t take into account persons who have chosen not to acquire Aadhaar, a right which they have till the Supreme Court passes its final verdict. For instance, in the Aadhaar hearing, one petitioner reported for his son because he and his family chose not to enroll in Aadhaar. The Aadhaar enrolment forms themselves, after all, cite that In such a case, alternative arrangements need to be made for people choosing not to have Aadhaar.
No one can store or use biometrics
There have been reports proving this statement to be untrue, such as the , and the report of . There is, additionally, the problem of fraudsters using skimmers and other technical methods to collect biometric data. ,
Aadhaar inspires more trust and confidence than any other identity document in India
This is another questionable statement by the UIDAI, which goes on to describe Aadhaar is the most preferred identity document in India. The true statement is probably that, by virtue of Aadhaar being made mandatory under various notifications under Section 7 and Section 57 of the Aadhaar Act, Aadhaar is (or will soon be) the only accepted identity document in India.
It has been pointed out several times that unlike with Aadhaar, for other identity documents such as a passport, there are actual physical verifications that take place, such as of a police visit to verify residence. However, none of these verifications is conducted with Aadhaar. In fact, the petitioners in Tuesday’s Aadhaar hearing questioned whether any verification was done to verify the 182 days residence requirement, or to verify whether a person was an illegal immigrant or no. The UIDAI’s only response to this was that that they were so resident. This indicates that no further verification was done.
In the absence of suitable verification, and coupled with the issues of biometric authentication such as probabilistic and inaccurate matching, it is, therefore, unlikely that it is as trustworthy a document as the UIDAI claims. Further, there are also reports of being issued.
People advised to file complaints
Lastly, the FAQs offer filing complaints with higher authorities as a solution to Aadhaar-based problems. In the ongoing Aadhaar hearings, the UIDAI cited the lack of complaints filed with it as a factor in its favour. Given the huge masses of people don’t even have a proper understanding of the digital world, they are unlikely to have the knowledge or the means to approach authorities to complain or resolve their issues.
When asked in Tuesday’s hearings if the UIDAI was aware of how many of the authentication failures resulted in a denial of services, the UIDAI indicated that it did not have this information. Instead of quoting the lack of complaints as proof of a lack of issues, the UIDAI needs to actively seek out and address issues of denial of services, etc. To start with, the UIDAI needs to investigate reports of such issues instead of simply denying them.
Quoting rules does not alleviate concerns
Such denial of issues with Aadhaar and quoting rules does little to alleviate people’s concerns with Aadhaar. The UIDAI would go much further with inspiring confidence in Aadhaar and its security, by showing an active and ongoing interest in discovering and resolving the issues with the Aadhar ecosystem. Vulnerabilities and risks in a large scale digital system like Aadhaar are inevitable. Instead of working with such issues, to turn a blind eye to them, will not ensure better security.
(Note - The content of the FAQs is the same as that published earlier in January).
Here are the daily reports from the Aadhaar Supreme Court hearing
The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.
Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.