Rethink Aadhaar writes to Home Affairs Committee on security issues of Aadhaar

This week’s stellar investigation by the Tribune, Chandigarh has definitively exposed the fragility of the security of the UID project. Activists, scholars, experts and academics have been warning of the insecurity of the Aadhaar database since its inception.

Following the Supreme Court's landmark judgment upholding privacy as a Fundamental Right, the Parliamentary Standing Committee on Home Affairs decided to review the Aadhaar project based on the historic recognition of the tenets of privacy and security. As per news reports, officials of Home Affairs Ministry and UIDAI addressed concerns raised the Committee.

Rethink Aaadhar wrote to the Chairperson and Members of the committee on the 15th November, 2017 and 14th December, 2017. We raised several concerns including those related to privacy, security and data breaches.

Our letters are attached along with a simple presentation of issues sent to the Committee.

Take action now!

Help us help you

We sincerely hope that the Committee refers to the concerns raised in our letters and addresses them appropriately by giving suitable recommendations.

As citizens of India, we call upon the Government of India to recognise the failings in the Aadhaar project, as highlighted in our letters, making it a threat to national security and abrogating citizens’ rights.

----------

To,
Chairperson and Members
Parliamentary Standing Committee on Home Affairs

Sub: Grave security concerns related to Aadhaar

With regard to the committee's work on Aadhaar, and in continuation of our earlier Memorandum highlighting privacy and security concerns of Aadhaar, we would like to highlight few real world security issues encountered with Aadhaar and the associated ecosystem. We would like to point to these issues to highlight the gravity of the misuse of Aadhaar and potential harms in the future to come.

Aadhaar in principle as a Digital Identity cannot establish the identity of an individual without being verified through a digital transaction, either an authentication by Unique Identification Authority of India (UIDAI) or by the user through his online verification password and / or biometric authentication. This concept of a Digital Identity is not entirely understood by an average citizen or any individual collecting this information as part of the Government requirements. This is leading to citizens being confused and harmed due to the security lapses made at various levels in the ecosystem. Some of these security issues can be fixed with due diligence and further improvements in security, but the current design of the Aadhaar architecture and infrastructure is inadequate to protect citizens from harm due to negligence.

We hope the points being highlighted are used constructively to improve it and make an average individual not prone to any harm in the cyberspace.

Reported Misuse Cases of Aadhaar:

The lack of electronic infrastructure to establish this identity is severe and makes people accept a paper copy of Aadhaar of any individual as a proof of identity. Photoshopped Aadhaar cards are being used to fake identity, brokers are trading copies of Aadhaar for as low as Rs 5 causing potential identity and financial risk to law abiding citizens.
In a reported incident in Bhubaneswar, a foreign national Zeboo Asalina of Uzbekistan was found with an alternate identity Aadhaar of Duniya Khan as a resident of Lajpat Nagar in South Delhi.
Aadhaar is not a proof of age as clarified by the UIDAI, but Aadhaar is being used to claim minor children as majors in flesh trade as consenting adults with wrong date of births or with photoshopped physical copies of Aadhaar.
There have been several reports of rogue enrollment centres enrolling multiple individuals with no verification at all, Adding to it sophisticated security modifications were performed to bypass security protocols of UIDAI by making new biometric clients and cloning biometrics using polymer resins in Kanpur as reported by the UP Police Special Investigation Task Force.

Information Security of Aadhaar Demographic Information:

There have been several reports of publication of Aadhaar demographic information containing Aadhaar Number, name, age, date of birth, caste, bank account numbers by various government and non-government entities.
The information of Aadhaar numbers along with bank account numbers and several demographic information can be used to easily commit financial fraud by rogue elements. The information published by various departments on the internet will always be a threat, as there are hundreds of search engines indexing and storing public information available on the internet.
A report by Centre for Internet and Society estimated just 4 government websites published demographic information of 13 crores Aadhaar numbers of individuals along with 10 crore bank account numbers.
Minister of State for Electronics and Information Technology in his written reply to Member of Parliament SHRI M.B. RAJESH clarified that 210 government websites of Central Government, State Government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public.
The Application programming interface of Aadhaar allows third party companies to perform E-KYC, who in turn are required to store the KYC details for audits. Private companies cannot be trusted with the security of Aadhaar Demographic Information. There have been several security breaches reported within private sector including the recent breach of telecom service provider “Jio”, whose subscribers demographic details were found on internet forums. Whether the security breach within Jio servers, has also caused any potential leak of Aadhaar numbers has not been yet asserted.
There is no clarity on who is allowed to collect Aadhaar from an individual. With no active publicity of where Aadhaar is not mandatory, Citizens are under risk by sharing it with everyone. Increasingly several private internet companies like Amazon India, Ola Cabs, Paytm are demanding the Digital Identity for E-KYC with no official government order in place. This misunderstanding of what Aadhaar is will make it hard for Demographic Information to be secure at any given point of time.

Security of Biometrics and usage within Aadhaar Ecosystem:

Biometrics unlike passwords cannot be modified in the event of breach, it is near impossible to change fingerprints and iris of an individual. However they are easily accessible directly from an individual to collect it under various circumstances like social engineering or stealing by just using a polymer resin.
Biometric scanners can also be easily fooled with cheap adhesives, Around 200 students of Institute of Chemical Technology in Matunga used polyresins to spoof attendance.
Biometric readers currently used in practice do not encrypt the fingerprint images at source, the encryption of images occurs on mobile or computer device application and then is uploaded to CIDR for verification. There is always a possibility for malware or secondary computer programmes running in the background to capture biometric details at source collection.
The UIDAI has issued new specifications for devices to collect biometric data in January 2017 only, the new specifications make it mandatory to use recognized biometric devices. Yet, these biometrics devices do not encrypt the biometric data within device again and are prone to attacks.

Security of Central Identities Data Repository:

The Central Identities Data Repository (CIDR) houses all of the biometrics and demographic information has been classified National Critical Information Infrastructure. For security reasons within the architecture of Aadhaar, CIDR is not connected to the internet directly. Around 254 Authentication Service Agencies are licensed to access CIDR directly through a secure network, which in turn allow other licensed entities to indirectly access CIDR.
An Engineer Abhinav Srivastava has been arrested for indirectly accessing CIDR without permission. He exploited an Application Programming Interface (API), security key used by a government Android Application “e-Hospital“ developed by National Informatics Center, which has direct access to CIDR.
The licensed entities which are allowed to have access to CIDR are not always secure from cyber-attacks. This poses a risk for CIDR being prone to attacks from sophisticated malware.
There is no mandatory audit or a security framework which various private and government entities have to strictly follow to get access to Aadhaar APIs, they are required to follow Aadhaar Data Regulations under the Aadhaar Act after they get license to access Aadhaar API’s.
One of the private companies Syntizen Technologies Pvt Ltd. on whom the UIDAI has filed a criminal complaint for maintaining aadhaarupdate.com is contracted to maintain the official Aadhaar Service Agency for Govt. of Telangana and is part of the sandbox firms of IndiaStack, A set of official government APIs maintained by the industry body iSPIRIT whose volunteers built the CIDR.

State Resident Data Hubs:

State Resident Data Hubs (SRDH) are databases with demographic information linked with all services residents in states of India access from government. These databases are part of the Aadhaar ecosystem and not mentioned while describing the Aadhaar Architecture. UIDAI has actively helped various state governments build these databases by providing them with demographic data by terming it Know Your Resident (KYR) data.
State governments collect Aadhaar numbers of citizens and actively link it with every government database containing personal information of the resident, which often includes race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history. SRDH contains every information about the resident giving the state government a 360 degree information of residents. Governments in various states of India have been found to conduct field surveys to collect door to door information including geotagging the location of the resident.
Unlike CIDR, the SRDH databases are connected to the internet and pose a major threat if these databases are ever breached. The user names for Andhra Pradesh SRDH have been published online, making it further easy for cyber criminals to only guess the passwords.
SRDH is how various state governments link mandatory Aadhaar requirement for various schemes. When a citizen has not proactively linked his Aadhaar for any particular service from the Government, the SRDH allows force seeding of Aadhaar from their KYR data provided by UIDAI. KYR data also includes Aadhaar enrollment number, whose Aadhaar number is automatically provided by UIDAI once the Aadhaar is generated.
SRDH of Andhra Pradesh called e-Pragati/People-Hub has integrated 76 government projects with Aadhaar as identifier. SRDH projects are designed to conduct mass surveillance of residents and are out-right against the fundamental Right to Privacy guaranteed under the constitution.

Potential Risks associated with Misuse of Aadhaar Data:

Aadhaar is a direct threat for existence of an individual in our democracy, his digital identity once stolen can be misused to commit fraud or worse kill him and take over his place. Aadhaar provides the state so much power over an individual, if his digital identity is terminated he ceases to exist. It can be used as a kill-switch to stop an individual from accessing every tiny basic service.
Demographic data like medical records associated with Aadhaar can be misused by foreign, domestic state actors and non-state actors like corporates houses to surveil individuals of interest, personal information of individual can be misused to target him emotionally, socially or physically.
The CIDR doesn’t store the race and religion data of any individual. But the SRDH and other associated databases of the government have been found to link Aadhaar number with caste, religion and income information. This information can be misused by biased individuals to discriminate residents over their religious or caste background.
With so much data of individuals being stored in the SRDH databases, a political party in government can misuse this information to profile citizens electorally and cause populist decision making in our democracy. Aadhaar data being used for elections cannot be ruled out as a possibility.
Corporate surveillance of competitors is not unheard of in India, Aadhaar data actively allows employees/citizens being surveilled constantly and increases the risk for an individual to ever legally proceed against corporates.

We would also like to highlight that there is no official policy by the Unique Identification Authority of India to accept security reports from third party security researchers doing important work on identifying security loopholes of Aadhaar.

We have put together a presentation as a supplement to this document which also summarizes our main concerns.

We would have greatly appreciated an opportunity to present our views in person either to you or to the Standing Committee formally. Please do let us know if that can be arranged.

We would also like to request you to use the information outlined in this Memorandum and the earlier one to raise Aadhaar related concerns in the upcoming Winter Session of Parliament and demand answers from the government. Please do not hesitate to reach out in case of any further assistance or help.

Thank you