By Chayan Poddar
Aadhaar, the world’s largest biometric ID system, continues to face allegations of data leaks. Last week, ZDNet, an online portal, published a report about a data leak on the system, which is run by a state-owned utility company. The leaked information contained customer details and could allow access to private information of Aadhaar holders, including their names, unique twelve-digit identity numbers, and their bank details to outsiders.
The latest report of an Aadhaar leak
This new report of a data leak is the latest in a series of explosive data breaches with Aadhaar. One hack claimed that a payment of INR 500 (US$7.7) would give access to the biometric information of a billion Indians including phone numbers, email addresses, and photographs as well as bank details. The leaks have not been rare, with on last November affecting more than two hundred government websites and those of educational institutions which stored personal information along with unique identification numbers.
In response to the report by ZDNet the Unique Identification Authority of India (UIDAI)the primary collector and protector of this biometric dataquashed the report saying it was totally baseless and false. Despite all the allegations of data leaks, the UIDAI continues to unequivocally vouch for the safety of the data and dismisses all reports of a leak as irresponsible The UIDAI went as far as to state that the reports came from sources with vested interests.
The case before the Supreme Court
The data breach incident took an extraordinary turn recently when the Supreme Court voiced its concerns during a hearing of an ongoing batch of petitions challenging the constitutional validity of the Aadhaar Act. In its response, the UIDAI, through Attorney General KK Venugopal, told the Supreme Court that the data was safe in the Central Identities Data Repository, which is fortified by 10-metre-high and 4-metre-wide walls. Moreover, it also reported that it does not share biometric details of residents with anyone and that it would take the fastest computer in the world currently available “more than the life of the universe” to break the 2048-bit encryption. UIDAI assured that the data was encrypted when the user pressed the save button and there was no possibility of third-party involvement in enrollment centres.
Last year, infamous whistleblower Edward Snowden pointed out the vulnerability of Aadhaar in its universality approach to information and said that non-government entities in India may ask for the Aadhaar number from customers and form their own databases. The inclusion of Aadhaar in every facet of Indian life left a lot of digital footprints, which is subject to coercion and risk at the hands of cybercriminals and foreign agencies.
Wikileaks followed Snowden by tweeting that the American company Cross Match, which hit the headlines after collaborating with the CIA to identify Osama Bin Laden, supplied fingerprint and iris scanning equipment to the UIDAI. Moreover, it identified a loophole in the system which potentially left 135 million Indians at risk of a data breach.
Government’s reaction
UIDAI argued against this threat by saying that biometric is registered physically and that the software used comes from “the worlds three best companies“ and since these companies do not share their source codes, the encrypted data cannot be hacked. Moreover, the biometric-matching software is used offline and the biometrics are given an anonymous status before they are fed into the matching software. Also, the Personally Identifiable Information (PII) is segregated so that the software cannot know whose biometrics it is.
In light of the above events, UIDAI is considering legal action against ZDNet for publishing its data breach report. This is consistent with its action against multiple independent security researchers and journalists who have identified loopholes in the Aadhaar system and are said to have been harassed by government agencies. In the midst of this controversy, the verdict of the Supreme Court regarding the Right to Privacy Act is being eagerly awaited.