Identity Project

Security of Aadhaar's data is under question, but pointing to the gaps could lead to a police case

The official UIDAI has filed a criminal complaint against a writer-entrepreneur for an article demonstrating how stored biometric data could be misused.

In the past week, reports of two criminal complaints related to the security of the Aadhaar database – a centralised database of biometric scans of over 100 crore Indians – has raised concerns about a bigger data breach.

On February 24, the Times of India reported that the Unique Identification Authority of India – which issues the 12-digit Aadhaar numbers that ensure targeted delivery of subsidies, benefits and services – had on February 15 lodged a complaint with the Delhi Police Cyber Cell against Axis Bank Limited, its business correspondent Suvidha Infoserve, and esign provider eMudhra for illegally storing biometric data and performing unauthorised Aadhaar authentication.

The Authority alleged that the firms performed multiple transactions using replay of stored biometrics – for instance, one individual supposedly performed 397 biometric transactions between July 14, 2016 and February 19 this year. It described this as a violation of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, as the law does not allow the storage of biometric data.

Announcing additional safety measures, Authority officials stated that they have submitted a proposal to the IT Ministry on February 22 that from now on till May, all biometric devices would be registered with it, and an Aadhaar encryption key would be introduced in their hardware to ensure the data received was “captured live”.

Gaps in the system

While the investigation into the complaint is still on, the Asian Age reported on February 28 that the Authority had registered a separate police complaint against an individual, Sameer Kochhar, who heads the Gurgaon think tank Skoch Development Foundation. The complaint was in connection with an article, “Is a Deep State at Work to Steal Digital India”, Kochhar had published on February 11 in his magazine, Inclusion, about security vulnerabilities in Aadhaar systems. The article included a video demonstrating how unauthorised transactions were possible using replay of stored biometrics – the same malpractice for which the Authority had taken action against Axis Bank, Suvidha and eMudhra.

Two days after the article was published, the Authority’s chief executive officer, ABP Pandey, responded to it on Twitter by calling it a fake video and asking Kochhar to stop spreading rumours. Two weeks later, the agency registered the police case against Kochchar.

Confirming this, Deputy Commissioner of Police (Crime-South) Bhisham Singh said, “We have received a complaint from UIDAI that an individual Sameer Kochhar had floated a video and an article on Google, saying Aadhaar was not foolproof, the UIDAI says this is against Aadhaar Act, and we have registered a First Information Report.” Singh added that the FIR was not yet public and the police had not contacted Kochhar. “UIDAI says his claims are false, and we will investigate if this is so,” he said.

Another senior police official, who did not wish to be identified, said the case against Kochhar was registered under Sections 37 of the Aadhaar Act and several other provisions of the Act as well as the Indian Penal Code.

Section 37 says:

Whoever, intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act or regulations made thereunder or in contravention of any agreement or arrangement entered into pursuant to the provisions of this Act, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees, or with both.

On February 22 – before the police complaint against Axis Bank and the two other firms were reported – Kochhar leaked a letter purportedly sent by the Authority to one registered authentication user agency (whose name was masked) asking how it had performed multiple concurrent Aadhaar authentications on January 11 through the unauthorised use of stored biometrics of one individual.

The letter also stated that the Authority had detected a firm that was illegally using a “licence key”. Section 15 (2) of the Authentication Regulations of the Aadhaar Act — the Aadhaar Regulations are currently in Parliament — say a requesting entity can permit another agency or entity to perform a yes/no authentication by generating a “separate licence key”. In this instance, the second entity performs electronic know-your-customer requirements for financial transactions, even though it had no permission to do so.

The letter leaked on Twitter by Sameer Kochhar on February 22.
The letter leaked on Twitter by Sameer Kochhar on February 22.

In an emailed response to Scroll.in, Kochhar said he had found out about the FIR against him from the Asian Age report, and that he had not yet been contacted by the Unique Identification Authority of India or the Delhi Police. “The story is available on www.inclusion.in and whatever other information and documents I have shared are on my Twitter timeline,” he stated. “I look forward to find out which parts of Aadhaar Act 2016 prohibit media reporting on its vulnerabilities.”

He also pointed out the Authority had not denied having issued the letter leaked by him.

Unique Identification Authority of India officials refused to share a copy of the police complaint or the basis of their action against Kochhar. “It may have been part of the original complaint against Axis Bank, and other, but we cannot share any details on this,” said Vikash Shuka, senior manager, communications and public outreach, at the Authority’s headquarters in Delhi. Shukla added that the Authority did not have a spokesperson who could publicly comment on the details of the complaint against Kochhar.

Shooting the messenger?

Prasanna S – a lawyer for petitioners who have challenged Aadhaar in the Supreme Court – said it was not clear that what Kochhar demonstrated was related to information gathered in authentication or enrollment, as Section 37 of the Aadhaar Act, which has been mentioned in the FIR against him, suggests. He accused the Unique Identification Authority of India of using Section 37 to stifle criticism and curtail speech. “If you criticise Aadhaar project, the government says ‘you are just saying so, you do not understand the project’,” the lawyer said. “Here, someone has demonstrated evidence of a security flaw and they are saying ‘how dare you expose its vulnerability’.”

“Do we now have to be worried about sedition against UIDAI?” he added, expressing concern at the Authority registering an FIR against a citizen for exposing a security vulnerability in Aadhaar.

Chinmayi Arun, executive director of the Centre for Communications Governance at the National Law University, Delhi said that “threatening concerned citizens who identify holes and errors that the authority should be fixing is foolish”. She added, “The UIDAI should be rewarding those who find its breaches – instead, we have attempts to intimidate them into silence through the abuse of the state’s police powers. The Aadhaar Act enables this intimidation and it is high time the Supreme Court put a stop to it.”

Kiran Jonnalgadda, co-founder of HasGeek, a community for start-ups for software development in Bengaluru, said Kochhar’s complaint and the Authority’s action against the three firms showed it had failed to provide sufficient technical protection against such attacks. “Replay attacks are a well-known problem, and the Application Programming Interface should not be storing the fingerprint on the device itself,” he said.

“The irregularities detected show they did not have sufficient technical protection, only legal protection against this,” he added. “The UIDAI provides for SMS, email alerts on authentication, but even this is optional.”

Jonnalgadda pointed out that new technical protection — of introducing registration of biometrics devices — was, in fact, added after Kochhar’s article. “The new technical protection kicked in after Kochar, a high profile individual, made an accusation, the video went public and UIDAI CEO replied on Twitter publicly saying, ‘Aadhaar is secure, do not spread rumours’, and then, after all this, they bothered to investigate,” he said.

He, too, said that someone raising a security issue in the system should be rewarded and not punished.

We welcome your comments at letters@scroll.in.
Sponsored Content BY 

“My body instantly craves chai and samosa”

German expats talk about adapting to India, and the surprising similarities between the two cultures.

The cultural similarities between Germany and India are well known, especially with regards to the language. Linguists believe that Sanskrit and German share the same Indo-Germanic heritage of languages. A quick comparison indeed holds up theory - ratha in Sanskrit (chariot) is rad in German, aksha (axle) in Sanskrit is achse in German and so on. Germans have long held a fascination for Indology and Sanskrit. While Max Müller is still admired for his translation of ancient Indian scriptures, other German intellectuals such as Goethe, Herder and Schlegel were deeply influenced by Kalidasa. His poetry is said to have informed Goethe’s plays, and inspired Schlegel to eventually introduce formal Indology in Germany. Beyond the arts and academia, Indian influences even found their way into German fast food! Indians would recognise the famous German curry powder as a modification of the Indian masala mix. It’s most popular application is the currywurst - fried sausage covered in curried ketchup.

It is no wonder then that German travellers in India find a quite a lot in common between the two cultures, even today. Some, especially those who’ve settled here, even confess to Indian culture growing on them with time. Isabelle, like most travellers, first came to India to explore the country’s rich heritage. She returned the following year as an exchange student, and a couple of years later found herself working for an Indian consultancy firm. When asked what prompted her to stay on, Isabelle said, “I love the market dynamics here, working here is so much fun. Anywhere else would seem boring compared to India.” Having cofounded a company, she eventually realised her entrepreneurial dream here and now resides in Goa with her husband.

Isabelle says there are several aspects of life in India that remind her of home. “How we interact with our everyday life is similar in both Germany and India. Separate house slippers to wear at home, the celebration of food and festivals, the importance of friendship…” She feels Germany and India share the same spirit especially in terms of festivities. “We love food and we love celebrating food. There is an entire countdown to Christmas. Every day there is some dinner or get-together,” much like how Indians excitedly countdown to Navratri or Diwali. Franziska, who was born in India to German parents, adds that both the countries exhibit the same kind of passion for their favourite sport. “In India, they support cricket like anything while in Germany it would be football.”

Having lived in India for almost a decade, Isabelle has also noticed some broad similarities in the way children are brought up in the two countries. “We have a saying in South Germany ‘Schaffe Schaffe Hausle baue’ that loosely translates to ‘work, work, work and build a house’. I found that parents here have a similar outlook…to teach their children to work hard. They feel that they’ve fulfilled their duty only once the children have moved out or gotten married. Also, my mother never let me leave the house without a big breakfast. It’s the same here.” The importance given to the care of the family is one similarity that came up again and again in conversations with all German expats.

While most people wouldn’t draw parallels between German and Indian discipline (or lack thereof), Germans married to Indians have found a way to bridge the gap. Take for example, Ilka, who thinks that the famed differences of discipline between the two cultures actually works to her marital advantage. She sees the difference as Germans being highly planning-oriented; while Indians are more flexible in their approach. Ilka and her husband balance each other out in several ways. She says, like most Germans, she too tends to get stressed when her plans don’t work out, but her husband calms her down.

Consequently, Ilka feels India is “so full of life. The social life here is more happening; people smile at you, bond over food and are much more relaxed.” Isabelle, too, can attest to Indians’ friendliness. When asked about an Indian characteristic that makes her feel most at home, she quickly answers “humour.” “Whether it’s a taxi driver or someone I’m meeting professionally, I’ve learnt that it’s easy to lighten the mood here by just cracking a few jokes. Indians love to laugh,” she adds.

Indeed, these Germans-who-never-left as just diehard Indophiles are more Indian than you’d guess at first, having even developed some classic Indian skills with time. Ilka assures us that her husband can’t bargain as well as she does, and that she can even drape a saree on her own.

Isabelle, meanwhile, feels some amount of Indianness has seeped into her because “whenever its raining, my body instantly craves chai and samosa”.

Like the long-settled German expats in India, the German airline, Lufthansa, too has incorporated some quintessential aspects of Indian culture in its service. Recognising the centuries-old cultural affinity between the two countries, Lufthansa now provides a rich experience of Indian hospitality to all flyers on board its flights to and from India. You can expect a greeting of Namaste by an all-Indian crew, Indian food, and popular Indian in-flight entertainment options. And as the video shows, India’s culture and hospitality have been internalized by Lufthansa to the extent that they are More Indian Than You Think. To experience Lufthansa’s hospitality on your next trip abroad, click here.

Play

This article was produced by the Scroll marketing team on behalf of Lufthansa as part of their More Indian Than You Think initiative and not by the Scroll editorial team.