Monthly Archives: June 2017

Hacking Of Aadhaar Is Hacking Of Life Of A Person And Not Just His Identity

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLB3Aadhaar is a unique project not only in India but also worldwide. This is because nowhere in the world a biometric database has been created at such a mammoth scale. However, the mere concept of Aadhaar and using biometric in an omnipresent present manner is very dangerous and undesirable.

Firstly, creating a biometric database of entire country is a serious national security threat. When such a large scale exercise is done, many loopholes and shortcomings are natural. This happened with Aadhaar as well and many criminals, terrorists and undesirable elements have also obtained Aadhaar. Many people in India are openly making fake Aadhaar cards that are in use for various types of government and private services in India like purchasing SIM cards, making passports, etc. No time in the history of India, national security was jeoparadised so much.

Secondly, clubbing Aadhaar biometric database and non biometric data with virtually everything is a sure recipe for disaster. When a database like Aadhaar is used everywhere no technology of the world can keep it safe. I used the words keep it safe because Aadhaar database is not safe and this is a reality whether we like it or not. The only question is for how long we can hide Aadhaar and its biometric database from the eyes of crackers and ransomware gang?

Thirdly, cyber security of Aadhaar and its biometric database is not at all adequate. Indian Government has already surrendered before the data breaches that have been happening in the Aadhaar ecosystem. Sensitive personal information, including Aadhaar numbers, phone numbers, bank account numbers, etc, are already in public domain as Government departments and agencies have no idea about cyber security and data security.

Fourthly, India has no dedicated laws on privacy and data protection. Indian Government is deliberately avoiding formulation of privacy and data protection laws. On the contrary, Indian Government pleaded before Supreme Court of India that Indians do not have a right to privacy as a Fundamental Right. However, this claim of Indian Government kick backed as now in the proceedings against WhatsApp, Supreme Court cannot do much. Indian Government and Supreme Court have no basis whatsoever to make WhatsApp liable for privacy and data breaches as far as they are concerned with Indians and their data.

Fifthly, we have no dedicated law for cyber security in India. Indian Government has been using guidelines/rules as a substitute for full fledged laws and these guidelines/rules are clearly not enough. Some guidelines/rules have been issued regarding privacy, data protection and some aspects of cyber security but the legislative vacuum remains in the cyber security field.

Sixthly, we have no cyber security breach disclosure norms in India. Government departments, agencies, etc have no obligation to report to a Government appointed authority about cyber attacks and cyber breaches. UIDAI is also under no obligation to disclose cyber breaches of biometric database and is the sole investigation and prosecution agency for breaches affecting Aadhaar CIDR or Aadhaar ecosystem. Naturally, we do not have even a single CIDR and biometric breach of Aadhaar so far though Aadhaar based biometric authentication notifications are flooding the e-mails of Aadhaar holders.

Let us analyse the cyber security infrastructure of India as well. Cyber security infrastructure in India is in bad condition. In fact, it has yet to make a beginning. It is really surprising that for such bad cyber security infrastructure, UIDAI and Government are claiming that Aadhaar and its biometric database are fully secure. India is the only country in the world that believes that it can achieve 100% cyber security for even a single project. That would have been a great achievement if this fact was true. Unfortunately, this claim is far from reality and the truth is that Aadhaar is a highly vulnerable system from cyber security, data security and privacy perspectives.

Cyber security is only as strong as is the weakest link. In case of Aadhaar it is very difficult to find its weakest link as all links are competing themselves to be the weakest one. From the design of Aadhaar to acquisition of biometric to their safe custody to their authentication, everything is insecure. Biometric can be leaked from any part of this weakest cyber security chain that is suffering from both a design flaw as well as classic example of bad cyber security practices. Who needs a bug or cyber security vulnerability when the flawed design itself is both a front door and backdoor entry as a feature?

For instance, more than 75% of biometrics collected by private agencies engaged by UIDAI used plain form/text acquisition and storing in the past. It is only now that UIDAI has asked them to encrypt the same while acquiring the biometric. Still it is not clear how much this direction has been followed by Aadhaar enrolment agencies as they are poorly paid by UIDAI. It would be safe to presume that they are still not using encryption methods while acquiring biometric as their due are still to be cleared by UIDAI. They have not been able to even get back their investments and are using all available methods to earn money so that the capital initially invested can be recovered. But even presuming that Aadhaar enrollments are now secured by encryption, still more than 75% of biometric acquired by enrollment agencies was managed in unencrypted and plain text form. Nothing can be done about those people whose biometric have been compromised for life and can be abused at any point of time in future.

This is not the end of the story. In many cases biometrics were directly stored on pen drives and in some cases hard disks containing biometrics of crore of Indians were gone missing. Outsourcing of work by UIDAI to private players and foreign companies has also resulted in migration of biometric of Indians even beyond India to foreign jurisdictions. Abuse of Aadhaar and its biometric cannot be ruled out even when rouge service providers authorised to conduct EKYC would manipulate the systems to retain a copy of authenticated EKYC and biometric prints. Besides there are diverse methods to break encryption and other security protocols as deployed by UIDAI.

So the claims of UIDAI and Indian Government that Aadhaar, its CIDR database and biometric of Indians are absolutely secure is novice at the best. Let us proceed further with the reality that Aadhaar is vulnerable to diverse forms of cyber attacks, ransomware attacks and other forms of attacks and would be compromised in near future.

Now once compromised, it would create serious life and security problems for Indians. This is because hacking of Aadhaar is hacking of the life of an individual and not just his identity. An identity theft or simple cyber crime can be reversed but not theft of biometric of a person. Once biometric of an individual are gone, they cannot be changed or reversed unlike a password or other system. Now if biometric of an individual have been associated with a single or two services, the loss of such biometric is insignificant. But when the biometric of an individual are associated with or seeded with virtually everything, this creates a serious problem for life and liberty of the concerned individual. This is more so when such biometrics are set to be used for Digital India and other E-Governance projects of Indian Government.

In the Indian context, this means forcibly putting the life, liberty, cyber security, data security, Fundamental Rights and virtually everything of an Indian Citizen/resident in the hands of a technology savvy criminal. Of course, these dangers are very real and fatal when our own Government and Intelligence Agencies would use various centralised database of which Aadhaar is the obvious key.