In a shocking security breach of Aadhaar, India’s biometric ID project for residents, the police have arrested 10 men in Uttar Pradesh in North India for successfully creating fake biometrics identities in the Aadhaar database, by cloning fingerprints.

On September 11, the Uttar Pradesh Special Task Force caught a 10-member gang who have been impersonating the credentials of certified Aadhaar operators both by faking the operators’ fingerprints using photopolymer resin, and by illegally cracking open enrollment software of the Unique Identification Authority of India (UIDAI).

As per news reports, the criminal gang lifted the fingerprints of the operators sub-contracted by the UIDAI, printing the fingerprints on a butter paper. Additionally, they illegally used a software vulnerability to bypass the iris authentication check established by the government. Such a breach would allow any one to send enrollment packets into the Central Identities Data Repository, where all biometrics and demographics data of Indian residents are stored.

News reports indicate the revenue model of this latest theft was abased on selling kits of software, and fingerprints at Rs 5,000 each, which allowed people to run fake enrollment agencies.

The police team claimed in raids, they found “38 cloned fingerprints on paper, 46 cloned fingerprints made of a chemical, 12 mobile phones, two Aadhaar finger scanners, two retina scanners, eight rubber stamps, 18 Aadhaar cards”, according to an Indian Express report. The investigation is still on, and Uttar Pradesh Special Task Force have said the network operating the latest Aadhaar scam may extend to several states.

We demand that the UIDAI:

• Immediately halt coerced enrollment, linking of services and existing IDs to Aadhaar; withdraw of all notifications issues under section 7 of Aadhaar Act mandating Aadhaar for essential services
• Independent audit of Aadhaar database, by a public agency with public representation 
• That UIDAI immediately notify and compensate unsuspecting residents whose personal biometrics data may have been compromised at these fake enrollment centers
• UIDAI make public the records of when did the details of the Uttar Pradesh STF police investigation and raids first come to light, for how long and in how many states have such security breaches been found so far
• UIDAI must explain to Standing Committee on Home Affairs how many instances of breach / attempt to breach of Aadhaar database has been notified to UIDAI and what has been the action taken by UIDAI in all such cases?

What this latest breach means

The latest incident is a shocking breach of public trust. The government claims Aadhaar is more foolproof than any existing Proof of Identity and Proof of Address documents because it is accompanied by biometrics.

As per the UIDAI, only authorized agents can do enrollment, and all enrollment must be validated by the operator's finger print and iris along, with their Aadhaar number. This breach shows a poor process of approving who could be doing the enrollments as unaudited and unverified enrollments entered the CIDR central database. This attack shows the government’s claims to be false and makes approved enrollments in the CIDR made via these compromised operator accounts worthless.

In this latest security breach, the criminal gang had successfully cracked open the enrollment software. Official statements and news reports on silent on how this was done. The result was that they were able to send enrollments into CIDR by impersonating the credentials of certified operators.

The latest incident shows the UIDAI is unable to guarantee the veracity of data in the Aadhaar repository. It has failed to guarantee the security of residents’ identity information, including core biometrics which cannot be replaced. Experts have also warned that if a fingerprint can be faked on a high resolution scanner used during enrollment, it can definitely be faked on the low resolution scanners used during authentication.

Aadhaar-based biometric scams, identity theft are now a real risk for the poor, especially those with less access to digital literacy.

Help us help you

Lack of legal remedies to citizens

Despite security vulnerabilities, the government of India is continuing pushing residents, including minors and elderly who are especially vulnerable, to enroll into the Aadhaar database. There is a continuous push to enroll along with a threat of cutting off citizens from essential services of food, coking gas, pensions, scholarships, disability aid, and now the threat of cutting off access to bank services and mobile connections, unless they submit their biometrics and link every existing ID to the Aadhaar database.

There is also a worrying absence of legal remedies to residents if their personal data being made insecure by the UIDAI.

Section 47(1) of the Aadhaar Act says: “No court shall take cognizance of any offense punishable under this Act, save on a complaint made by the Authority or any officer or person authorized by it.” 

Thus, UIDAI is responsible for both maintaining the security and confidentiality of identity information and authentication records, as well as for approaching a court in case of a security breach – which is a conflict of interest. There is no provision in the law for residents to get mandatory notifications from UIDAI, if their data is breached.

Worryingly, this is not the first time such a breach has been detected. Four years back, in 2012, Infrastructure Leasing & Financial Services Limited (IL&FS) staff had enrolled 30,000 people fraudulently in Hyderabad. 

There is fraud not only at the enrollment stage, but also at the authentication stages leading to identity fraud.

Earlier this year, students at a technology institute in Mumbai demonstrated how easy fingerprints cloning is when they used it to falsify attendance.

Despite warnings from security experts over the years and petitioners approaching the Supreme court that biometrics is an insecure, non-consensual, and broken technology, and that biometrics can be easily replicated and cloned using even fevicol and wax, and that such breaches have occurred in other countries, the both the Congress and the BJP government have pushed the residents of India to submit their biometrics into an insecure database.

This coercion must stop, and both the UIDAI and other central agencies mandating Aadhaar must be held to the highest standards of accountability for risking citizens’ personal data into an insecure and compromised database.

News reports on breach:

Gang involved in making fake Aadhaar cards busted in UP, 10 arrested

UP Gang Found Complex Way To Make Fake Aadhaar Cards, Say Police

Engage with us on Twitter: