A report from the Tribune on Thursday morning revealed yet another major weakness in the architecture built around Aadhaar, the Indian government’s 12-digit unique identity project designed to cover every resident of the country. While previous leaks have seen government websites giving away some data meant to be kept confidential, the Tribune story suggests that unverified agents can get access to demographic details of every single person enrolled in the Aadhaar database.
For a fee of merely Rs 500, a reporter from the newspaper was able to get access to personal details of any of the 1 billion people enrolled, and for another Rs 300, was able to print out Aadhaar cards for any given number.
How the hack works
That is a staggering security error, one that covered the entire Aadhaar database.
Here is how it worked: The Tribune reporter paid an agent Rs 500 through PayTM. The agent then created a gateway with a login and password allowing the journalist to search directly in the database. “Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI [Unique Identification Authority of India], including name, address, postal code [PIN], photo, phone number and email,” says the report, by Rachna Khaira.
For another Rs 300, the agent provided software that permitted the reporter to print out an Aadhaar card for any number put into the system, complete with photo, address and other details. The Tribune report claims that this is possible through access originally provided to over 3 lakh village-level enterprise operators who had originally been enlisted by the UIDAI to carry out Aadhaar enrolment. In November 2017, the UIDAI withdrew this job from the village-level and other operators due to security concerns, moving the task to post offices and designated banks. But, as per the reporter who conducted the hack, these operators still have access to the demographic details across the database, and are now charging a fee to offer this to anyone.
What does it mean?
Anyone who has your Aadhaar number can quite easily collect all sorts of other information about you, including your photo, home address, phone number and more. They can even print out a duplicate Aadhaar card.
This does depend on someone getting access to your Aadhaar number in the first place, a number that is supposed to be kept secret. But as numerous reports have shown just recently, often government websites themselves have been leaking Aadhaar numbers, making it easy for just about anyone to access them.
UIDAI denial
The UIDAI issued a press release denying the Tribune story and insisting that there has been no Aadhaar data breach. “UIDAI assured that there has not been any Aadhaar data breach. The Aadhaar data including biometric information is fully safe and secure.” The authority claimed that the search facility, which allowed the reporter access to demographic data using just an Aadhaar number, is meant to help designated personnel and state officials provide help to citizens who have grievances.
“UIDAI reiterates that the grievance redressal search facility gives only limited access to name and other details and has no access to biometric details. UIDAI reassures that there has not been any data breach of biometric database which remains fully safe and secure with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics,” the statement said.
UIDAI blindness
But recent events have shown this to be untrue.
The simple example is a reminder of how often Aadhaar is now used as an identity document now without biometric authentication, such as as ID proof at an airport. Being able to print out anyone’s Aadhaar card turns this into a major vulnerability.
But there is more to it than that.
In October, Scroll.in reported on several cases of bank fraud being investigated by police in Delhi and Noida, wherein the alleged conmen simply needed access to the Aadhaar number and the phone number linked to it in order to siphon money out of accounts. The fraudsters did not need to breach UIDAI’s biometric database to steal money, they only needed the demographic data attached to an Aadhaar number – the same details that the Tribune reporter accessed – in order to carry out the con.
Not the first time
Some of this is actually not new. In April 2017, Scroll reported on some demographic data and Aadhaar numbers showing up through a simple Google search. In fact, the Tribune story instead suggesting that people are now starting to monetise their fraudulent access to the Aadhaar data. This means the Tribune story is most likely just the tip of the iceberg, especially because of how easily it was done. It is as likely that others have managed to download entire tranches of the demographic data from the Aadhaar database, if not the entirety of it, and can now use all of that personal information for anything from data-mining to fraud.
Yet UIDAI’s response all along has been to insist that there is nothing to worry about because the biometric data has not been compromised. “Mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for a successful authentication fingerprint or iris of individual is also required. Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded. Aadhaar data is fully safe and secure and has robust uncompromised security.”
The impact of a report like this could be wide-ranging or it could end up being ignored for the most part, other than the authorities cracking down on the individuals involved in this case. The broader question raised by this incident relates to the data protection law, which the government told the Supreme Court it would bring in, in connection with the question of whether Aadhaar is a violation of the fundamental right to privacy. The Justice BN Srikrishna Committee has been asked to come up with data protection recommendations. But what use are those if all demographic data from Aadhaar enrollees is already in the hands of those who should not have it?