Nandan Nilekani is himself an example of how not to be cavalier about Aadhaar security
As the Aadhaar debate takes a tumultuous turn, especially after the investigative report by The Tribune showing the UIDAI (Unique Identification Authority of India) database admin rights on sale for as little as Rs 500, two developments shed a serious light on the possible course of events. Though the Aadhaar matter comes up for hearing before a constitutional bench of the Supreme Court on January 17, the two pieces of news, related in a way, tell us what's the stance of the UIDAI is going to be despite mounting evidence of Aadhaar's shaky, leaky structure.
Nilekani's old Aadhaar tweet
The first relates to the report by Buzzfeed News that the creator of Aadhaar, and the head of UIDAI from 2009 to 2014, Nandan Nilekani, himself had tweeted out his Aadhaar number, with the first 8 digits redacted. However, his tweet, showing an image of his Aadhaar card, still carried the QR code that was enough for those with basic tech expertise to decode his demographic details, his bank account numbers, and other sensitive information.
The report shows how Nilekani's personal information is still available online, and that the man steering the UIDAI ship was himself unaware of the immense breach of his own confidential information that had occurred when he posted the picture of his Aadhaar card, with the QR code intact. The report also says how the information is available online and is literally at the mercy of whoever's decoded it with an iOS and Android apps, while screenshots of Nilekani's tweet abound online, particularly in tech chat groups and discussion forums.
While Nilekani had shrugged off the potential harm posed by his own tweet, even though he was alerted by tech specialists a number of times, he did in fact delete it months before the Aadhaar Act was passed in September 2016, which made publishing Aadhaar information online a criminal offence. Moreover, this is further corroborated by UIDAI's own recent tweet cautioning users to "delete" Aadhaar downloaded at public internet cafes or via non-private systems, something that came in the aftermath of The Tribune exposé.
Please ensure that you delete the local copy of Aadhaar downloaded in any cyber cafe or on any other public machine as it may lead to misuse. #AadhaarEssentials pic.twitter.com/eQFepsV6kr
— Aadhaar (@UIDAI) January 6, 2018
Enter virtual IDs
The other development is the introduction of the new "virtual ID" to prevent Aadhaar from hacks and potential breaches. How this works is explained in a tweet by UIDAI itself, and it involves using a virtual ID in place of the Aadhaar number for any service being used for Aadhaar authentication. It's an optional service, and it would be a 16-digit random number mapped on to the 12-digit Aadhaar number. It's also a temporary number that would lapse after a particular amount of time (yet to be specified by the UIDAI), or when the user generates a new VID.
To further strengthen privacy and security of Aadhaar holders, UIDAI introduces #VirtualID or VID. #AadhaarVID pic.twitter.com/hWHrns6tbh
— Aadhaar (@UIDAI) January 11, 2018
#Aadhaar is here to stay! Happy that the @UIDAI has introduced virtual ID and limited KYC in the spirit of continuous innovation to enhance privacy and security. https://t.co/EyWGB2KiK5
— Nandan Nilekani (@NandanNilekani) January 10, 2018
Now, while Nilekani himself has asserted that virtual IDs would be fool-proof, tech experts and Aadhaar critics say it's not going to be so. For one, the fact that UIDAI has introduced virtual ID is in itself as candid an admission of Aadhaar's severe security flaws, exposed by global tech expert Troy Hunt in a recent lengthy write-up.
However, more than that, Aadhaar critics, particularly the tech website Medianama, have challenged the assertion that the introduction of VID and limited KYC would plug the gaping hole in Aadhaar's problematic security system.
The critics point out that "Aadhaar-issuing body (UIDAI) plans to split the third party authenticators (like telecom providers, banks, etc) into two groups and the virtual ID/limited KYC will be useful for only one of them".
While "global authentication user agencies" will get to access the entire KYC gamut and the Aadhaar number, smaller, local authentication agencies will be given the virtual IDs.
But how the classification would be done remains a grey area, and clearly there would be overlaps, breaches in these interfaces. However, the deadline for smaller companies to submit the application for the virtual ID system based authentication is March 1, just one- and-half-months from now, and experts say it's too soon.
Moreover, this is useless in rural areas where paper-based copies of Aadhaar card are widely used, along with biometrics, to authenticate users, making the virtual ID layer of security an urban-centric stop-gap measure.
Moreover, what about the Aadhaar numbers already leaked through portal access sales, which had given out the "unique" Aadhaar numbers to those with nefarious intentions, thereby exposing them to threats even in the future.
UIDAI's cavalier attitude
The UIDAI's and the government's cavalier attitude towards security in Aadhaar has been exposed many times over. However, right now, when this has started making global headlines, the security breaches are getting bigger by the day to be stalled by the new-tool-a-day trial-and-error method.
In fact, these are the checks that should have been run while the Aadhaar system was still a pilot project. The hurry with which it was turned into a national ID system for over a billion Indians is now evident, with a new issue staring at UIDAI's face every day.
However, with even a tech-savvy public personality like Nandan Nilekani, in-charge of UIDAI from the beginning and the chief conceptual brain behind the entire Aadhaar project, making the cardinal mistake of publishing his Aadhaar details without estimating the consequences of the same, paints a sombre picture.
Even the new virtual ID wouldn't undo the damage done by the UIDAI head himself, experts say. The digital selves of one-billion-plus Indians don't seem to be in very safe hands, at least for now.