Aadhaar, India’s unique identity database, is a gift that keeps ON giving. Not for the more than one billion Indians who are part of the database, no. Not even for the ones running the show. In fact, especially not for them.
It is, however, a gift for those who oppose this government-sanctioned “digital leash”.
In a recent Huffpost exposé, it was revealed that the authenticity of the data stored in the Aadhaar database has been apparently compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users. The patch — a small piece of code inserted into a program to improve (so to speak) its functioning — a three-month long Huffpost investigation found, allows unauthorised persons from across the globe to generate Aadhaar numbers at will.
What is more horrifying, however, is just how easily the patch is available.
The report suggests that is still available for an amount as little as Rs 2,500.
What does the patch do?
The patch, for starters, lets users bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers. Biometric authentication, the cornerstone of every Aadhaar security defence presented by the Unique Identification Authority of India (UIDAI), with regard to most instances of criticism on Aadhaar security and safety, fails before this piece of code.
It gets worse.
The code, according to the report, disables the Aadhaar enrolment software's in-built Global Positioning System (GPS) security feature. The GPS system is used to keep track of the location from where an Aadhaar number is issued.
But by managing to bypass it, one can easily generate an “authentic” Aadhaar number from anywhere in the world - be it China, Pakistan, Bangladesh, North Korea or Russia.
Hooray for being Aadhaar being India’s nationalistic, patriotic ID card.
And finally, the code reportedly reduces the sensitivity of the enrolment software's iris-recognition system. What this effectively does is make things easier for one to “spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.”
According to Gustaf Björksten, Chief Technologist at Access Now, one of the experts HuffPost spoke with, "Whoever created the patch was highly motivated to compromise Aadhaar. There are probably many individuals and entities, criminal, political, domestic and foreign that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile. To have any hope of securing Aadhaar, the system design would have to be radically changed."
What does this mean for everyone?
For one, Aadhaar is no guarantee of anyone’s identity. If anyone can generate an Aadhaar number for an amount so insignificant, what is to stop this from happening at large? In fact, what is to suggest such a thing has not already happened?
The Centre has been decidedly adamant in its push for Aadhaar as a mandatory identification document. This is a directive that has largely been taken up by many private organisations, especially in the telecom and banking sectors. If fake Aadhaar numbers can be conjured out of nothing for less than Rs 3,000, then this push should be questioned more so than ever right now.
Not just from the a national security aspect — which this “hack” is likely to cause — this report also brings into question many other reasons provided by the Centre to push for the digital identification programme. Consider the idea of Aadhaar in the Public Distribution System (PDS) - rations meant for a certain section may find themselves depleted thanks to those who have gamed the system.
Or consider schemes like the National Register of Citizens (NRC). What grounds does documentation and identification of people in NRC zones stand upon, once it becomes apparent just how inexpensive and easy it is to forge these? More importantly, when the Centre has pushed so hard for Aadhaar, what happens to those who have only that as their ID proof, should the Centre choose to remove it as a valid document next?
What does the UIDAI have to say?
In a series of 24 tweets (yes), the UIDAI claimed the report is false. The organisation also claimed that “Certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted.”
UIDAI rambled on and on about how this is not true and how it has “taken all necessary safeguard measures spanning from providing standardised software that encrypts entire data even before saving to any disk, protecting data using tamper proofing, identifying every one of the operators in every enrolment, identifying every one of thousands of machines using a unique machine registration process, which ensures every encrypted packet is tracked."
The statement, however, sounds less than convincing. Especially so when one sees the kind of expert endorsement the original report has received. But that is what UIDAI and bureaucrats related to the department have been reduced to — defending the Aadhaar despite overwhelming evidence of its structural failure. Less than two months ago, RS Sharma, the chairman of the Telecom Regulatory Authority of India (TRAI), learnt the hard way just how vulnerable one can become by exposing their Aadhaar number to the public.
The UIDAI’s stance is unlikely to change. But one can hope that the judiciary would take into account this mountainous breach and take effective steps against the institution and the Centre that is apparently being willfully obtuse to the sheer number of real issues surrounding it.