In a bid to explain just how securely the Aadhaar data of millions of Indians is stored, Attorney-General KK Venugopal on Wednesday described to the five-judge constitutional bench of the Supreme Court just how thick the walls of the data facility in Manesar were. The bench led by Chief Justice Dipak Misra and also comprising Justices AK Sikri, AM Khanwilkar, DY Chandrachud and Ashok Bhushan had questioned the privacy of data taken for the UIDAI system.
Venugopal assured the judges that this was no fly-by-night operation and that Aadhaar data was secure behind walls that are 13-feet high and five-feet thick.
It's at this point that questions need to be asked of Centre's — on whose behalf Venugopal was arguing the case — understanding of data, because comparisons with former I-T commissioner Vishwa Bandhu Gupta's understanding of cloud computing come swiftly to mind. The notion that data is some sort of physical commodity that can be physically safeguarded is a lot like being content with handing over your debit card and PIN to someone, safe in the knowledge that your cash is safely stored in a bank vault.
What's next? A view that certain data can't be 'mined' because it's been buried deep enough underground?
To try and make sense of why 5-foot-thick walls or even 10-foot-thick ones for that matter are woefully inadequate when it comes to protecting data, here's a brief explainer about the myriad ways in which data can be snatched out from under the noses of its custodians.
For breaching a database, you don't need to be physically present around this so-called five-foot-thick wall. Accessing a database physically is just one method. But most of the sophisticated hack attacks take place remotely. You can hack a database remotely, from a different city, state, country or even continent. All you need is sophisticated software, hacking intelligence, an internet-connected machine and a vulnerability to exploit. No thick door or high wall can prevent a data breach if these four requirements are met.
One of the most common loopholes that can make databases vulnerable is having a weak link in the human chain of command. You may have the best of security suites to protect your database, but if the right security protocols and processes aren't followed, there is nothing the world's best security suite can do to protect your data.
In the case of Aadhaar, there have been multiple instances of user databases (yes, demographic datasets) being searchable online. It wasn't meant to be that way, but somewhere someone who was in charge of this data, did not follow the right protocols, leaving this data open for everyone to peruse. In such cases a hacker does not even have to do much, the people handling the database aren't trained enough to practice the right measures. Even Fort Knox cannot protect you if your security staff knowingly or unknowingly leaves data vulnerable.
Socially engineered attacks are common fare. By that we mean, hackers can collect data on the human resources working at the UIDAI facility, try to tempt them with some to-good-to-be-true offer or something as trivial as a 'personality quiz', with the only condition being downloading something, which may turn out to be malware. If the smartphone or laptop to which this malware is downloaded is connected to the central network at the facility, it is only a matter of time before software codes can be manipulated to the whims and fancies of the trained hacker.
Back in 2010, a highly sophisticated worm going by the name of Stuxnet was discovered which was used to attack Iranian nuclear facilities. It targetted the machines used to enrich uranium and manipulated them to cause the machines to sping out of control. Now, an Iranian nuclear facility would certainly have much more physical security than a mere wall. And yet, sophisticated hackers managed to insert a worm which not only changed the code on machines but changed it in such a way that it had an effect on the hardware in the facility which led to shutdowns of reactors.
The State Resident Data Hubs (SRDH) contain Aadhaar data, including demographic and biometric data, as well as local data from other sources, such as Kerala’s KYR+. And security experts have expressed that these data hubs are vulnerable to attacks. This indicates that the CIDR is not the only repository of biometric data. Moreover, the SRDH allowed a ‘view’ of a ‘360-degree profile’ of an individual, in contrast with the UIDAI’s affidavit. Do SRDH also have walls which are 13-feet high and five-feet thick?
We are in no way saying the Aadhaar biometric database is a sitting duck and anyone can hack it. But when the Centre presents it as a physical commodity which can be protected by thick walls, it certainly boggles the mind.