Analysing Aadhaar through the Prism of National Security

One of the recommendations of the Kargil Review Committee, which was established to review the state of national security in the wake of the Kargil intrusions, was the issue of “Multi-purpose National Identity” cards to villagers living in conflict zones. It was subsequently decided to extend this scheme to all citizens, and that became the inception point of Aadhaar. The main motive for this expansion was to ensure the welfare of citizens by relatively easing their accessibility to various government schemes via a single identification document. This led to the establishment of a dedicated institution for rolling out the Aadhaar work called the Unique Identification Authority of India (UIDAI) on 28 January 2009. Nandan Nilekani (an Infosys co-founder) was appointed as the chairman of UIDAI on 23 June 2009. He launched the official logo and brand name of Aadhaar by April 2010. After years of debates and deliberations, the Aadhaar Act finally came into effect on 11 March 2016.1 As the Aadhaar project made progress, simultaneously the surrounding debates saw a tectonic shift – from frequent complaints about the display of incorrect data or lack of clarity over its significance to graver issues of cyber security, identity theft or data breaches. Whether the government is well equipped to handle something like the Aadhaar database still remains a part of the current discourse.

Role of UIDAI

The UIDAI allots a unique identifier (Aadhaar Number) to each citizen and deposits their biometric and demographic data in a Central Identities Data Repository (CIDR).2 Aadhaar or Unique Identification Number (UID) is a 12-digit number that serves as a unique identifier for Indian citizens. Aadhaar’s database has the records of over 1.12 billion registered users and is rapidly becoming the government’s base for public welfare and citizen services scheme.3

Aadhaar authentication process validates an identity with a ‘yes’ or ‘no’, using one of the six demographic fields (name, date of birth, gender, address, mobile or email) along with either biometrics or One Time Password (OTP). The process is designed in such a way that neither the purpose of the transaction nor any other context is known to the Aadhaar system in order to ensure the safety of any transaction. In addition, the UIDIA document also claims that “Every enrolment data packet is ‘always’ stored on disk in PKI (Public Key Infrastructure) encrypted form and is never encrypted or modified during transit making it completely inaccessible to any system/persons.”4

Contemporary Discourse

In Budget 2017, Aadhaar was made mandatory for availing Permanent Account Number (PAN) cards and filing Income Tax Returns. Furthermore, the central government is standing firm on its statement that it would provide social welfare benefits only to those with UID numbers by June 30, 2017. This interlinking of Aadhaar with various utility platforms (banks, PANs, birth certificates, etc.) will facilitate interconnectedness by making a network of networks. That, in turn, would pave the way for more accountability and transparency, although at the same time such a massive scale of digitisation and data centralisation may attract several threats and hence are crucial to outline. Especially given the numerous instances of cyberattacks like the one on the Bangladeshi bank account at the Federal Reserve Bank of New York that allowed hackers to steal more than USD 81 million5 or the Wannacry ransomware attack that affected almost 150 countries, have given rise to concerns over cyber security. In this context, the question remains as to whether Aadhaar is a readymade factory for criminal minds?

Security Challenges

As Aadhaar gained the currency of “proof of identity”, most checkpoints like railways, airports and even protected areas have started using it as a source of identity. But in reality Aadhaar in its physical form is just a plain card and can be downloaded from anywhere or a coloured printout that can be printed and may look as good as the original. It does not have a hologram or digital signature but rather a QR (Quick Response) code, which is just an image representation of a text and not a security feature.

Another flaw in Aadhaar’s security came to the limelight when a random blogger talked about how easy it is to access Aadhaar information with just a basic Google search.6 With the exponential growth in cybercrime, this centralised database may provide valuable information to criminals. This might lead to either illegal tracking of individuals or identification without consent. Such records may also aid in providing data on the precise location, time and context of the services availed by that individual. Moreover, sensitive financial information of individuals and companies may also be exposed through breaches of the UID database or internal collusion. An example of data breaches was seen when UIDAI temporarily halted Aadhaar payments by Axis Bank, Suvidhaa Infoserve and eMudhra because of unauthorised authentication and impersonation through the illegal storing of Aadhaar biometrics. This infringement caught the UIDAI’s attention after one individual conducted almost 397 biometric transactions between 14 July 2016 and 19 February 2017.7

In a report by an investigative website, those associated with the Aadhaar project “agreed to make Aadhaar Cards for applicants without any proof of identification or address” for charges ranging from Rs 500 to 2500. The website asserted that almost anyone, “be it Indian or an illegal immigrant can get an Aadhaar Card made without any proof of identity. More importantly, they get an Indian identity.”8 Though there were several reported cases of such activities, one that garnered a lot of attention was reported last month when a UIDAI operator in Bhilwara’s Mandal area tried to outwit the authorities by trying to get an Aadhaar card for slain terrorist Osama Bin Laden. However, the UIDAI got alerted due to the discrepancies in the personal data form and filed a complaint against the operator.9

Official Outlook

Time and again the critics of Aadhaar have been arguing that India is at the risk of becoming a surveillance state, but the Government of India does not, however, appear to be on the same page with academics and analysts who are targeting Aadhaar and its security features.10 In fact, in an interview, Union Minister for Electronics and IT, Ravi Shankar Prasad, stated that most of the criticism is misplaced and that Aadhaar is “completely safe, secure and robust.” He further added that these security concerns could just be the opposition’s way of bogging down the Aadhaar project. Even Nandan Nilekani, in his book Rebooting India, talks about all the benefits that Aadhaar offers and also addresses the security concerns that have been raised. The critics tend to forget that the idea is to empower the citizens and not the state. Since its inception, Aadhaar has adopted the principle of security by design, which ensures that no agency is able to track and profile any individual. In addition, the Aadhaar Act itself lays down several guidelines for protection of Information (Chapter VI) and subsequent punishment and penalties (Chapter VII). Adding to this view, one official spokesperson of the Axis Bank said “In case a person misuses biometrics, it is much easier to trace him using Aadhaar-enabled payments system (AEPS) as compared to other modes of digital transactions such as internet banking and card payments and that itself is the biggest security that Aadhaar can provide.”11 Moreover, to safeguard critical data, UIDAI will upgrade all pre-existing biometric devices with software aimed at protecting the security of the transmitted data. UIDAI will also ensure that all the new devices are registered under it from 1 June 2017. Indeed, on 22 February 2017, UIDAI had presented a proposal to the IT ministry on registration of biometric public devices to guarantee the safety of transactions and end-to-end traceability of the authentication process.

Conclusion

Though there might be several prevalent concerns over Aadhaar’s data security, these do not outweigh the benefits it has to offer. Besides, one cannot entirely overlook the government’s efforts to make Aadhaar more secure. All the technical glitches that are coming to the forefront are being immediately taken care of. UIDAI has also ensured that most of the biometric information gets encrypted by a UIDAI key at the chip level of any digital device, thus making it almost impossible for anyone to breach it. Privacy still remains a point of paradox and, in the absence of concrete privacy laws, citizens might be subjected to mass surveillance in the name of national security. But, contrary to the ongoing discourse, minimal monitoring is indeed required by the state to protect citizens. As of now, it is safe to tag Aadhaar’s security features as a “work in progress” rather than a foolproof arrangement. The government still requires much more dedicated, informed and comprehensive security policies and accelerated efforts to realise Aadhaar’s full effectiveness. Thus, with appropriate measures on the security front, Aadhaar can be associated with numerous benefits like a cashless society, reduction of voter fraud and legitimate allocation of subsidies.

Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.