What happens to your Aadhaar data: The good, the bad and the ugly

What is the purpose of Aadhaar?

Aadhaar, when proposed, was seen as an identity card that can be linked to government services, allowing the poor of the country to claim benefits, subsidies, open accounts, etc. It was touted as a way to remove the middlemen, so that benefits directly reach the poor sans any corruption. It was aimed to be India's official ID for the citizens, especially those who find it impossible top bank accounts, get loan and so on, owing to lack of documents.

 

What data is collected and why?

According to this document, UIDAI's mandate was to provide a unique ID to each citizen, without any duplication. So, in 2009, the DDSVP committee decided that it will collect minimal demographic data such as name, gender, date of birth, address, mobile number and email. Further to ensure there is no duplication and one person gets only one ID, Aadhaar system collected biometric data. Multi-modal biometrics was put in place such as iris and fingerprint scanning for better accuracy.

 

Where is the Aadhaar data stored? Is it safe?

Now, Aadhaar project is touted to be the biggest biometric database in the world with 1.13 billion registered users. And, a lot is being said and written about Aadhaar data storage and privacy. This brings us to understand where exactly the data is stored and what happens when you link the number with other accounts.

 

This UIDAI document explains that the government, just like for any other government program, employs private agencies accompanied by strong security measures. The database is stored on government servers. UIDAI claims to use highest public key cryptography encryption and each data record comes with built-in mechanism to detect tampering.

 

Each enrolment record is signed by an operator and packets from authentic and approved operators are processed. "Every enrolment data packet is ‘always’ stored on disk in PKI encrypted form and is never encrypted or modified during transit making it completely inaccessible to any system/person," the document reads. Measures are taken that no human being or software or govt setup can modify or access the encrypted data.

 

What happens when Aadhaar is used by services?

 

According to UIDAI, Aadhaar authentication validates an identity with a ‘yes’ or ‘no’, using one of the six demographic fields namely, name, date of birth, gender, address, mobile and email along with either biometric or OTP. No data related to the transaction is mentioned, claims UIDAI. It is designed in a way that neither the purpose of transaction nor any other context is known to the Aadhaar system. This authentication, which is claimed to the fact that the holder is authenticated along with time and date, is retained for six months in online audit and offline for 7 years. The purpose of doing so is to resolve any dispute with the bank, if any. Linking it with a bank only means the bank's account database now has the customer Aadhaar number.

 

How it can be misused

Is the data safe? Well, No! What's caused uproar is UIDAI filing a police complaint on 15 February against Axis Bank, Suvidhaa Infoserve and eMudhra, claiming an attempt of unauthorised authentication and impersonation by illegally storing Aadhaar biometrics. Apparently, multiple transactions were made with the same fingerprint. So, UIDAI is admitting the breach and hence the previous claims how Aadhaar data is immune to vulnerabilities falls flat on the face.

 

"The breach was noticed after one individual performed 397 biometric transactions between 14 July 2016 and 19 February 2017. Of these, 194 transactions were performed through Axis Bank, 112 through eMudhra and 91 through Suvidhaa Infoserve," according to a report by LiveMint.

 

Now, under Aadhaar Act, one cannot copy Aadhaar data, and doing so makes it a criminal offence. On the other hand, the report also claims that it isn’t a flaw in the Aadhaar system but a breach of law.

 

So, Aadhaar is susceptible to security vulnerabilities, just like any other system. Some of the recent events are when former Indian cricket captain MS Dhoni's Aadhaar details were leaked online or this report that reveals how salespersons used Aadhaar data and fingerprint scans of other customers to sell Jio SIM were arrested. We've also seen how Aadhaar numbers of minors were revealed.

 

A report by Scroll claims that its queries for information related to Aadhaar breaches were dismissed on grounds of national security and confidentiality. Though Aadhaar rules state that an individual's Aadhaar number shall not be published or displayed, the person whose data is breached may incidentally never know of such a breach as Aadhaar Act lacks such a provision, the report further added. 

 

Now, such incidents may reappear in newer forms as we make Aadhaar an inseparable part of our daily lives, especially with payments made using Aadhaar. It has loopholes like any other system, from fake Aadhaar entries to illegally storing Aadhaar data and so on. In a nutshell, Aadhaar privacy is going to be a big challenge for the government. Stricter rules and an improved Aadhaar Act seem like the need of the hour.

 

Watch out the space for more on the misuse of Aadhaar.