The Daily Fix: Once again, government must answer whether Aadhaar meets basic security standards

Very soon, it is expected, the Supreme Court will deliver its verdict on the constitutional validity of Aadhaar, the unique 12-digit identity number based on biometric and demographic data. According to petitioners, Aadhaar impinges on important rights and freedoms: the right to privacy, an individual’s autonomy over her body, the right to access vital state services and benefits. But apart from a debate on principles, the state needs to answer whether its unique identity project fulfils basic security requirements.

Over time, the scope of the biometric identity has spread across various arenas of everyday life, from opening bank accounts to availing government subsidies, allowing the state to track and profile its citizens if it so wishes. It has asked citizens to surrender intimate details about their lives to a unified database that has, time and again, been shown to be leaky, prone to duplication and theft.

A new report by Huffington Post suggests that a software “patch”, or a bundle of code, can disable critical security features of the software used to enrol new users. The patch, available for Rs 2,500, allows unauthorised users to generate Aadhaar numbers, bypassing biometric authentication. It also disables the enrolment software’s GPS security feature, which means numbers can be generated anywhere in the world, and blunts the software’s iris-recognition system, which authenticates registered operators.

The flaws which make the Aadhaar technology vulnerable to this hacking are inherent in its fundamental structure, the report suggests. The patch could defeat many of the stated aims of the project, such reducing corruption, preventing fraud and identity theft. Experts also suggest that, though the hack is used by village-level computer operators, it betrays the presence of “sophisticated well-trained adversaries”.

This is not the first time that gaps in the system have been exposed. Not long ago, there were reports of massive pilferage in the public distribution system in Uttar Pradesh, where about 2.2 lakh tonnes of wheat and sugar were siphoned off. Earlier, it was emerged that Aadhaar data could be accessed for just Rs 500. Concerns about national security have also been raised, as Aadhaar creates a “map of maps”, an infrastructure of information that could be of strategic value to a foreign adversary.

In most cases, the Unique Identification Authority of India’s reaction has varied between dismissal, denial, bluster and, when all else fails, cases against journalists who point out such flaws. The last reeked strongly of an attempt at intimidation. This time, the authority has rejected the report as “completely incorrect and baseless”. While the UIDAI refuses to take such reports into account, examine its systems and plug the gaps which may exist, the Centre seems to be dragging its feet on a new data protection law. Back in January, one of the petitioners had argued that there was no forum to complain if a data breach took place, which suggests there is little accountability for failures in such systems. Taken together, these facts paint a bleak picture about the state’s commitment to securing the data of its citizens.