Is the biometric data of over a billion Indians safe in government hands?
That’s the question Congress leader P Chidambaram asked finance minister Arun Jaitley during a discussion in the Rajya Sabha on the finance bill 2017, which includes an amendment that makes Aadhaar mandatory for filing income-tax returns, on Wednesday (March 29).
“The Pentagon has been hacked. Five hundred million accounts have been hacked by somebody sitting in some country in Europe,” he said. “What is the guarantee that you have the technology to protect the hacking of bank accounts, hacking of income-tax accounts through the Aadhaar number?”
At a time when a vigorous debate is on around the Aadhaar platform’s ability to protect information and ensure privacy, Chidambaram raised a query many Indians are asking privately—and publicly. It, therefore, deserved a sincere answer.
Standing up across the well of the house, Jaitley quipped: “I think the Pentagon got hacked even without the Aadhaar being there, so the hacking doesn’t take place because of Aadhaar.”
Behind him, Jaitley’s ministerial colleagues smiled. Unamused, Chidambaram politely urged Jaitley to not trivialise his query.
“It’s a serious answer,” the finance minister insisted. “If the firewalls can be broken and hacking can take place, then hacking will take place any where. That is not a ground, that hacking takes place because Aadhaar is there.”
“Let us assume there is no Aadhaar, but some information which is contained in some network gets hacked or gets leaked. That is because of the technology you use there, and this technology itself can be broken into,” he continued, “And therefore, the fact that technologies can be broken into is never an argument which is given, so don’t add technology.”
To put it bluntly, Jaitley’s defence is bunkum.
Aadhaar isn’t just any random platform, or an isolated database that exists and operates in a silo. By virtue of being linked to a host of services and schemes (the government wants to add more), Aadhaar potentially becomes a tool to track an individual across multiple databases. If the government has its way, Aadhaar will be required for everything, from filing taxes to getting hold of a driver’s licence.
All this implies that the 12-digit ID number requires extra safeguards; comparing it to “some network (that) gets hacked or leaked” is inaccurate and disingenuous.
Somewhat ironically then, even Jaitley recognised later in his reply the need for robust “firewalls” and said that the “Aadhaar legislation has some provision” to secure the platform.
But there are serious doubts about the quality of these safeguards.
For one, the Aadhaar number isn’t nearly as confidential as it probably should be. The card is often printed out by its holders and used as a physical identity document (instead of only being used for online authentication). As a result, an Aadhaar number can be seen and copied by multiple individuals, opening up the possibility of “Aadhaar cards” being easily forged and misused offline. This is a structural problem and not something even multiple “firewalls” can resolve.
Even online, there are misgivings over the security measures adopted by the Unique Identification Authority of India, which runs the Aadhaar platform. Despite the Aadhaar Act 2016 and data security regulations passed last year, clear security standards do not exist, as lawyer Vrinda Bhandari and researcher Renuka Sane explained in a blogpost earlier this month:
Notably, Section 23(2)(m) of the Aadhaar Act empowers the UIDAI to specify, by regulations, “various processes relating to data management, security protocols and other technology safeguards under this Act.” Given the vast quantities of sensitive, personal data that is being stored in one centralised repository, one would imagine that the UIDAI would be quick in clarifying all the security protocols and technology safeguards. However, through Regulation 3(1) of the Data Security Regulation, the UIDAI does not lay out any specific measures for ensuring information security, instead only stating that: The Authority may specify an information security policy setting out inter alia the technical and organisational measures to be adopted by the Authority and its personnel, and also security measures to be adopted by agencies, advisors, consultants and other service providers engaged by the Authority, registrar, enrolling agency, requesting entities, and Authentication Service Agencies.
Regulation 5(a) then further requires service providers engaged by the UIDAI to ensure compliance with such information security policy “specified by the Authority”. Such a policy, to the best of our knowledge, has not yet been notified.
A regulatory vacuum of this sort means data of millions of citizens—Jaitley reiterated that over 98% of Indian adults had an Aadhaar—may not be entirely secure within, and especially outside UIDAI. In fact, the discovery of freely-accessibly Aadhaar-linked databases on the internet in the last month point to clear weaknesses in the existing system when data is stored by agencies other than the UIDAI. So there’s hardly any Pentagon-level security that needs to be breached here.
Moreover, an analysis by computer science and engineering researchers (pdf) from the Indian Institute of Technology, Delhi, also pointed out structural flaws within the UIDAI’s own architecture:
In an Aadhaar-like setup, the biggest threat to privacy comes from potential insider leaks. The Aadhaar technology architecture does not seem to have been explicitly designed to have strong protections against such insider leaks. We believe that effective protection against insider leaks necessarily requires a third party auditor under independent administrative control.
Of course, none of these are matters that Jaitley even attempted to tackle during his defence of Aadhaar in the Rajya Sabha, instead choosing to employ serpentine logic that doesn’t quite hold water. In doing so, the finance minister lost an opportunity to provide solid assurance to those anxious about the safety of the platform.
We welcome your comments at firstname.lastname@example.org.