A journalist from the Tribune was able to purchase unrestricted access to the Aadhaar database for as little as Rs 500, according to a report from the publication. This access allowed the journalist to get details of Name, Address, PIN code, photo, phone number and email. For another Rs 300, the Tribune team was given software for printing an Aadhaar card, after entering the Aadhaar number for anyone. The journalist was made an Enrolment Agency Administrator for CSC SPV, apparently without any checks.

The story quotes Sanjay Jindal, Additional Director-General, UIDAI Regional Centre, Chandigarh, as saying that this is a national security breach. These groups targeted Village Level enterprise operators who were given access to the UIDAI data via Common Service Centres, for enrolment work. Those providing access did so via aadhaar.rajasthan.gov.in, but it’s not clear whether that is truly the case.

We’ve written to UIDAI CEO Ajay Bhushan Pandey for comments and will update when we hear from him. We’ve sent the following questions to him:

1. How many Village Level Enterprises were given access to the Aadhaar database?
2. What practices are/were followed in order to ensure that access is given only to personnel authorised by the UIDAI?
3. Do CSCs or VLEs have the ability to give database access to third parties without the UIDAI’s permission or knowledge? What processes are in place to prevent this?
4. Does each VLE have access to the entire aadhaar database or only parts of it? Is the data in silos or is a single point of access able to give access to the entire database? What led to this decision making?
5. What mechanisms does the UIDAI have in place to detect and monitor unauthorised access?
6. What mechanisms does the UIDAI have in place to detect the usage of non-secure connections to the database?
7. Does the UIDAI have any processes in place to ensure the security of SRDH’s? What kind of monitoring does the UIDAI do over the operations of SRDHs?
8. What processes does the UIDAI have to detect addition of fake entries into the Aadhaar database?
9. For enrollments done through unauthorised access, has the UIDAI ever canceled registrations of those who have been enrolled via such means? How many such instances have been detected and what action has the UIDAI taken regarding such enrollments?

A few comments:
1. All instances of breach/leak will be huge: the UIDAI, it would appear, is architected to be a single point of access/failure. Each instance of breach or unauthorised or illegal access will lead to access to almost all data, except maybe biometrics. This is a design flaw: even if it makes getting data more convenient, it also puts ALL of that data at risk with a single point of access

2. Parallel databases will hurt even more: The flaw in Aadhaar also lies with the design of the eKYC mechanism, wherein as more and more people do an eKYC, the chances of that data leaking increase. As linkages increase and more people get to store users personal data – for example, in a National Public Credit Register, or via the National Health Information Network, or even state level Aadhaar databases, it’s impossible for the UIDAI to keep user data secure everywhere.

3. Expect UIDAI and government officials to say “no breach” and “biometrics have not been leaked”: The typical response that we hear from the UIDAI and MEITY is that there is no “breach”, and that “biometrics are secure”. A few things here. A breach typically refers to access without authorisation, and in this case, it’s just an instance of someone getting the authority to access, so the government is able to weasel out of this and say that it isn’t a breach. In the same way, when 210 websites published user data (minus biometrics) for over 130 million people, it wasn’t a leak, it wasn’t a breach. It was just “a mistake”.

Secondly, biometrics are the least secure kind of data because you leave them everywhere. So you’ve left it on a glass of water that you just drank, or they can be cloned from photographs.

Thirdly, the Aadhaar Act legally treats Aadhaar number on par with biometrics as sensitive data. So to say that someones Aadhaar number and other personal data leaking is not a massive issue is to try and sweep these problems under the carpet.

4. In Parliament, expect government to say that the Aadhaar Act has penalties that prevent illegal access. Remember that while the law might make this access illegal, it doesn’t prevent illegal access. People do illegal things until caught. More data will get compromised because it’s easy to do this, and the way the system is built, there will always be issues cropping up, and they’ll keep plugging hole after hole for the rest of Aadhaar’s existence.

5. Printing an Aadhaar card might be sufficient: how often are biometrics checked to authenticate an individual? Rarely. Aadhaar is just a number, and cards can be printed by anyone. That was done as a design choice, to make a physical card irrelevant – not use smart cards- and use only a number as an identification tool. Means that smart-card cloning is not a risk. However, the problem here is social: societal conditioning has meant that people want to see a physical object, and if someone can furnish a real looking Aadhaar card, those checking feel that it is real. Not enough was done to address this social conditioning, and in fact, people have been denied medical treatment if they turned up with a printout (which should work) instead of a card. Thus, just a real looking card with authentic looking information can work for most people, and anyone can use a real looking card as an ID. So if data part from biometrics is compromised, people can be compromised.

6. Fakes? The Tribune story mentions 1 lakh illegal users but doesn’t have details. We read about the UP case as well, where admin biometrics were cloned and Aadhaar software was patched to create IDs. Fact is, we don’t know how many Aadhaar enrolments are fake, especially since the UIDAI does not physical verification of its own, and relies on the same ID documents for verification, which it seeks to replace. How will the UIDAI ever know how many fake enrolments have been done, without actually re-authenticating every individual who has ever gotten an Aadhaar? It’s unlikely that they’ll re-authenticate 1.19 billion people.

7. Haste makes waste: The reason for all these issues, apart from bad design and implementation, is the haste for enrolment. While the government has been boasting about how quickly enrolments were done, the outsourcing of enrolments to third parties, the payment mechanism, where enrolment agencies were paid per enrolments, have led to poor checks and balances, and the assumption that they’ll fix problems when they arise hasn’t worked out well when monitoring appears to have been weak, especially given the scale of the project. The opposite of move fast and break things, I heard somewhere, is move slow and fix things.

8. Lastly, it’s important to remember that the Tribune journalist could be sued by the UIDAI here. They’ve done it before in case of two entities: a researcher called Sameer Kochhar had pointed out the dangers of replay attacks and was sued. A journalist called Debayan Roy had shown how Aadhaar can be made using fake ID cards and was sued. Suing them won’t solve the UIDAI’s problems: it’ll only deter others from pointing out issues that can be fixed.
*

If you have ideas on how to fix this mess, mail me at nikhil@medianama.com