Aadhaar security: UIDAI has not conducted serious forensic audits for breaches

There are lot of claims about the security of Aadhaar, both good and bad, depending on who is making these claims. There have been many reported leaks of Aadhaar data by third parties, which the UIDAI claims no responsibility for. UIDAI itself has accepted there were at least 210 websites which have been publishing Aadhaar numbers along with other personal information to a parliamentary question. The authority reported at least 50 FIR’s with multiple incidents of people actually breaking software of both UIDAI and third parties to break into the Aadhaar ecosystem. Even with all these security mishaps, there have been no serious forensic audits conducted by the authority. [caption id=“attachment_4865121” align=“alignnone” width=“1024”] Representative image.[/caption] Since the first Aadhaar leak which was reported in early 2017 (by the author), the requests of forensic audits and better bug reporting mechanism was always suggested to the UIDAI for them to handle security incidents in a better way. By not recognising the inherent problem of leaks or the seriousness of the vulnerabilities in its ecosystem, UIDAI has put the general public in harm’s way. Any assurances from **UIDAI** without the technical backing of the claims and rejections of security loopholes have made security researchers to report these issues in public domain instead of privately reporting it to the authority. The Aadhaar infrastructure has been classified as National Critical Infrastructure, thus making any and every **security** incident a national security risk. This classification of the project also means the National Critical Information Infrastructure Protection Centre (NCIIPC) handles the security of the infrastructure. Unlike UIDAI, the NCIIPC does have a clear bug reporting mechanism defined and they do actively request security researchers to report critical issues to them. The NCIIPC has a proven record of responding back to the researchers, while the Computer Emergency Response Team (CERT) does not always. The UIDAI too is responsible for the security of the Aadhaar databases and thus carries out security audits within the ecosystem of private players who access application programming interfaces of the project. UIDAI limited with its manpower has outsourced the security audits to consulting agencies. So far, the authority seems to have only carried out audits of 7 private firms, included among them are NSDL, Alankit Limited, Equifax, Fino Paytech limited, Transunion, Smartchip, Khosla Labs. Some of these players have been recently breached by hackers or have been reported to have issues by security researchers. The sheer number of private firms and government agencies using Aadhaar make it near impossible for UIDAI to audit all of these entities. But it has only itself to blame for not starting the process of audits and appointing the consultants until July 2018. Even in the case of established security incidents, the authority fails to initiate forensic analysis resulting in further data leaks. A clear example of this is the many **government websites of Andhra Pradesh leaking Aadhaar data** . The AP government has itself initiated the audits after at least a dozen reports of entire state’s Aadhaar data was leaked which were linked to medical records, property records, religion, caste, geo-location and even the data of toilets that were built in individual’s houses. [caption id=“attachment_4364417” align=“alignnone” width=“1280”] A man goes through the process of eye scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre. Image: Reuters[/caption] In terms of accountability, the UIDAI has a poor record, the authority won’t even disclose how it spends taxpayers money under the RTI. Its responsibility to uphold the Aadhaar Act and the regulations under it, have often been selective and **always used to target any dissent** against the project. Transparency in UIDAI operations and decision making has been always an issue since the project was announced. Under these circumstances, the **new draft data protection bill** wants to give complete autonomy to the UIDAI, without stripping it of its regulatory powers and letting an independent agency carry out these functions.  This recommendation from the expert committee headed by Justice Sri Krishna is quite bizarre. Security researchers will continue to show how vulnerable Aadhaar is until UIDAI acknowledges them. The authority has not spent even half the money it spends on advertisements for the security of the Aadhaar project. If the UIDAI wants the trust to be instilled in the Aadhaar project, it needs to earn it. Publishing front-page advertisements in newspapers or playing boring videos in theatres of how great Aadhaar is not going to help. Working with security researchers instead of threatening them or rubbishing their claims is not helpful to anyone without providing the necessary proofs. The author is an independent researcher working on data and the internet. He has reported several security incidents in the Aadhaar ecosystem which the UIDAI won’t acknowledge.