Aadhar: Good, Bad And Ugly

Before I begin I would like to quote current Attorney General of India
“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.”
Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi
What is Aadhar ?

From food rations to marriage certificates, entrance exams to train ticket concessions, mobile phone cards to banking, Indians are now being asked to produce a 12-digit Aadhaar number to access both government and private sector services.

This number is connected to their fingerprint and iris scans that are stored in a centralised database. As of September 2016, this database held the demographic and biometric information of more than 105 crore people – more than 80% of India’s population, and three times the population of the United States.

‘The Unique Identification Authority of India (UIDAI) is a statutory authority established under the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act 2016”) on 12 July 2016 by the Government of India, under the Ministry of Electronics and Information Technology (MeitY).

Prior to its establishment as a statutory authority, UIDAI was functioning as an attached office of the then Planning Commission (now NITI Aayog) vide its Gazette Notification No.-A-43011/02/2009-Admn.I) dated 28th January, 2009. Later, on 12 September 2015, the Government revised the Allocation of Business Rules to attach the UIDAI to the Department of Electronics & Information Technology (DeitY) of the then Ministry of Communications and Information Technology.

UIDAI was created with the objective to issue Unique Identification numbers (UID), named as “Aadhaar”, to all residents of India that is (a) robust enough to eliminate duplicate and fake identities, and (b) can be verified and authenticated in an easy, cost-effective way. The first UID number was issued on 29 September 2010 to a resident of Nandurbar, Maharashtra. The Authority has so far issued more than 111 crore Aadhaar numbers to the residents of India.

Under the Aadhaar Act 2016, UIDAI is responsible for Aadhaar enrolment and authentication, including operation and management of all stages of Aadhaar life cycle, developing the policy, procedure and system for issuing Aadhaar numbers to individuals and perform authentication and also required to ensure the security of identity information and authentication records of individuals.”

Besides this any individual , who is based in India would have faced the issue of compulsion at the hands of governmental authorities and service providers for supply of Aadhar number for availing even the most basic form of services .
Good

The idea of generating a unique Code number for every citizen seems super innovative for high population country like India.

However for this scheme, in the current scenarios the good part ends with the idea.
Bad

The current system is a poorly designed, unreliable and expensive solution to the seemingly innovative and revolutionary idea of providing national identification for over a billion Indians. Even apparently it violates the right to privacy of an individual.

The way sensitive data has been and is being collected and managed by enrollment agencies, registrars and sub-registrars, and now distributed freely by the government to private players who have no considerate legal liability for any misuse of this data makes t amply clear how vulnerable we all are to a breach.

What further complicates this issue is the fact that once leaked, there is no substitution or cure of the breach. Of course any individual cannot change or alter his or her biometric signatures.

This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Why this hue and cry on privacy?

As the issue of citizens right to privacy is pending a decision by the constitutional bench of the Hon’ble Supreme Court of India, there is already an increase in the cases of data leakage of Aadhar details of citizens .

Going step by step in to the issues most primary is the fact how agencies are collecting and handling this data.

Is enrolling in Aadhar verified by the agencies?

In recent times militants have been found to carry Aadhar Cards , which establishes , that making Aadhar as a pre condition and as a enabling documents would only enhance the chaos and make it easy for enemies of the state to abuse the procedures. When a militant can get a Aadhar card , how much verifications are done by agencies becomes amply questionable .

This raises the question as to how many bogus

How safely the data is handled by the agencies?

As per report of Hindustan times , the personal details over one millions Aadhaar subscribers were leaked on a website run by the Jharkhand Directorate of Social Security. Most of the vulnerable are senior citizens, who are beneficiaries of the state’s old-age pension scheme. Jharkhand has 1.6 million pensioners, among whom 1.4 million have reportedly seeded their Aadhaar cards for direct transfer of the monthly pension into their accounts. In the security violation, personal details such as name and bank account number were revealed for a bulk of these users, deepening the existing worries about safety feature in Aadhar cards.

While according to Section 29 (4) of the Aadhaar Act, publishing Aadhar numbers of consumers is illegal, though such violations are known to have happened in the recent past.

Earlier this year, cricketer Mahendra Singh Dhoni’s Aadhaar details were inadvertently leaked on social media, which led his wife, Sakshi, to complain to the Union Law and Information and Technology Minister, Ravi Shankar Prasad. In its response, the Unique Identification Authority of India (UIDAI) blacklisted the service provider for 10 years.

It is further interesting to observe that blacklisting of a service provider , that too in case of data leak of Mr. Dhoni is the solution that government is offering , than what is the kind of resolution can we expect for a common man.
Is the Aadhar system fool proof?

As per a report published in Forbes last year Security researcher Jan Krissler, nicknamed Starbug from the famous Chaos Computer Club, who cloned a fingerprint of a Germany’s federal minister of defense using pictures taken with a “standard photo camera” have claimed that the same technique is possible to fool the IRIS biometric systems.

As per Krissle, the attack depends on a number of factors, such as-

Target’s eyes must had to be bright because of the way the infrared-based system his company bought for Krissler used light.

· The image should be large and expanded.

· Image of the iris with diameter of 75 pixels.

· Print out should have a resolution of 1200 dpi

The major difference between the two technique is that unlike fingerprint security systems bypass that requires a proper clone of the finger, IRIS recognition hacks only need is the print out. So an attacker willing to carry out this kind of attack just need a high definition picture with bright eyes, and conveniently, there are a vast number of HD images of some of the most powerful personalities all over the world available on the internet.

In another incident, Students at the Institute of Chemical Technology (ICT) in Matunga, Mumbai have used their knowledge of chemistry to hack the institute’s biometric attendance system.

Around 200 students at the institute used small layers of a widely-used resin adhesive and pressed their thumbs against them, embossing them with their fingerprints. These films were then used by their friends to mark attendance for their absent friends.

In light of the above it is way apparent that Aadhar verification can easily be fooled.
How vulnerable we are and how this issue affects everybody?
Financial Vulnerability

With the demonetization citizens at large have been compelled to use digital modes of payments , and with seeding of Aadhar with bank accounts and launch of likes of BHIM app , which enables use of bio metric data like finger print to enable a transaction , it has become much simpler to cheat an individual of his/ her hard earned money. What is further horrifying is the fact that once an individual’s biometric data is in public domain , because of mishandling or criminal intent of the collection or handling agencies , will their be a way of avoiding and / or blocking use of biometric based transactions.
Civil and Criminal Vulnerability

While the authorities across the country are in the process of connecting and linking Aadhar to all the processes related to an individual like property transactions, PAN card, Brith Certificate(s) and Pension etc, with the ease to the users comes the danger of breach and identity theft by the criminal minds. As a lawyer I have come across many cases where instead of a bona fide seller , a impersonator is used to cheat a person of his property, how authentic such transactions will become once false verification of such transaction is done by the conspirators is not at all a rocket science to understand .

Another exposure would be the misuse of an Individuals Aadhar details by Criminals to commit crimes .
Identity theft

Think of a scenario where using an innocent victim’s Aadhar data, criminal or an enemy of the state impersonates as such person and commits a crime. This could be anything ranging from a financial fraud by opening a bogus bank account in a victim’s name, taking a mobile number in such person’s name, to committing a act of terror with the false identity.

With a false Aadhar based verification, and authorities’ approach of believing it to be a fool proof mechanism how difficult it would be for a victim to claim back his properties, prove his or her innocence or that an act has not been done by him or her is a foreseeable happening.

What further adds to such scenario is our enforcement and judicial mechanisms which are already over burdened, and the hyper technicality of such transactions will be an added complication.
Comparing Aadhar to United States Social Security Number

Aadhaar authenticates a person by matching his or her demographics or biometrics with the records in its database while Social Security Number was never intended for authentication purposes and has not been built to do this on a national scale. It matches a name and associated Social Security Number against its records only in limited circumstances, such as before issuing a replacement Social Security Number, or establishing a claims record.

It “does not verify an individual’s identity”, notes the Social Security Administration website, explaining the verification methods.

Aadhaar captures biometrics. The Social Security Number does not.

Aadhaar collects biometrics, which include the scan of all fingerprints, face and the iris of both eyes. Aadhaar Act’s section 2(g) states that “other biological attributes” may be collected in the future, a provision that was intensely debated in Parliament.

In contrast, when the Social Security Number was created in the 1930s, the US government decided not to collect fingerprints. “The use of fingerprints was associated in the public mind with criminal activity, making this approach undesirable,” notes the Social Security Administration website. The Social Security Number is thus printed on a small paper card and does not carry even a photograph.

In recent years too, the Social Security Administration has restrained from collecting biometrics of residents. In 2007, when the Intelligence Reform and Terrorism Prevention Act asked the SSA to improve the security of Social Security Number cards, the SSA considered adding the holder’s photograph or biometrics to the card but eventually decided against it.
“A biometric identifier, such as a fingerprint, can be an effective and highly accurate way to establish the identity of an individual, but it can also facilitate a much higher degree of tracking and profiling than would be appropriate for many transactions,” said Marc Rotenberg, the president of Electronic Privacy Information Center, a research organisation, in a testimony to the House of Representatives.
He added: “The problems that will arise when biometric identifiers are compromised are severe. What will happen at the point that your biometric identifiers no longer identify you?”

Conclusion

How Aadhar is perceived in India , is a revolutionary step towards Digital India, however even apparently the citizens have been pushed into the project like subjects without ample consideration of the individual rights, practical security analysis , or implementing it as a facility for citizens and individuals . Had the larger interest of the citizens been a precondition in background with the proper technical foresightedness and the practicality , such a system in its current form and processes would not had been made the foundation document for every transaction of an individual in the country which lives under the constant threats of attacks from its neighbors.

As on date whoever claims the system to be fool proof is either ignorant or doesn’t understand the fundamentals of any system that nothing is fool proof or doesn’t care for the system.

In the current scenario the last hope for citizens is the pending decision of this issue by the constitutional bench of Hon’ble Supreme Court of India.

In case the factual preposition is not properly appreciated and the Aadhar system is adopted in full scale , the day is not far biometric data of citizens will be sold for petty amounts to criminals and miscreants who will not lose any opportunity to cause damage to individuals and our nation while we will have no option but to sit as mute spectators.

Leave a Comment

Your email address will not be published. Required fields are marked *

%d bloggers like this: