Report on Data Security: Aadhaar Meltdown in India

Aadhaar, India’s national biometric identity system, comprises one of the world’s largest databases of biometric and demographic identity data. A system of vast scope with the fingerprints, irises, and faces of over one billion people. This biometric data is then linked to both government-sponsored programs and private services, including welfare benefits, mobile phone service, banking and financial services, traffic enforcement, and more. As of October 31, 2018, 1.2 billion Aadhaar numbers have been assigned, covering 89.9% of India’s population.

For the full report, please read below.

Table of Contents

• Vast Scope and Scale
• Mounting Privacy Concerns
• Social Effects
• Security Meltdown
• Authenticity of Data Compromised
• Broken Identity Systems

Vast Scope and Scale

Aadhaar works through a network of local government agencies and private participants who onboard citizens onto the system, scanning fingerprints, taking images of irises, and running facial-recognition scans. Residents are then issued a unique 12-digit number providing proof of residence, with biometric authentication provided by way of fingerprint, iris, or face scan.

As told by Indian authorities, Aadhaar will help bring the country into the digital age, streamline administration of public services and reduce fraud in government programs, and bring an end to a sordid history of political corruption. The Unique Identification Authority of India (UIDAI) sees Aadhaar as a forward-looking platform that will engender digital innovation and serve as fundamental infrastructure for twenty-first century economic development.

In order to be effective in its mission, the UIDAI launched a massive enrollment campaign in 2009 aimed at registering 40% of the population within two years. Speaking to the New York Times, Jacqueline Bhabha, professor and research director of Harvard’s FXB Center for Health and Human Rights, said, “No has approached that scale and that ambition. It has been hailed, and justifiably so, as an extraordinary triumph to get everyone registered.” As efforts ramped up to expand coverage to all Indian citizens and residents, Aadhaar numbers slowly came to be mandated for everything from taking school exams to opening new bank accounts.

Since 2014, under the direction of Prime Minister Narendra Modi, Aadhaar has taken on even further scope and ambition. As the New York Times has reported, citizens must scan their fingerprints for everything from government rations and pensions to middle-school exams. At a hospital in Bhopal, parents must register their newborns with Aadhaar before they can leave the hospital. And moves were made in 2016 to make Aadhaar ID numbers mandatory for cell phone service and banks accounts, or risk losing access altogether, while employers were encouraged to use Aadhaar to run background checks on prospective employees.

Mounting Privacy Concerns

Aadhaar, run under the Unique Identification Authority of India (UIDAI) and given authority under the Ministry of Electronics and Information Technology by the government of India, has been on the receiving end of criticism since its inception, with fears ranging from the establishment of an Orwellian-style surveillance state to concerns about the security of a such an expansive store of centralized data.

But as Aadhaar experienced “mission creep” over the years and mandatory requirements were put in place with the 2016 Aadhaar Act, direct opposition has mounted. As a deadline for providing Aadhaar numbers for the continuation of banking and mobile phone services loomed, over 30 suits were filed against the program with India’s Supreme Court. Both ordinary citizens and activists complained of being inundated by coercive phone calls and emails from banks, mobile operators, and other service providers requiring them to link their Aadhaar numbers to their accounts. Privacy advocates expressed concern over the government’s unregulated access to the data and lack of safeguards against abuse. Critics dubbed Aadhaar the “world’s biggest surveillance engine” and declared it “the end of privacy.”

“Speak for Me,” a campaign launched by activists to pressure the government to allow citizens to opt-out of mandatory linking, received and sent 4,000 messages within its first 24 hours when it was launched at the end of 2017. Ultimately, pressure culminated in a ruling by the Supreme Court in September 2018 that the government must pull back on mandatory requirements for its use by banks, telecoms, and other Indian companies, with the court citing privacy concerns and pushback from opponents who fear further encroachment on privacy rights.

In their majority judgement, delivered on September 26, the Supreme Court ruled that the system is constitutionally legitimate and can be used to administer welfare benefits and collect income tax, but cannot be made mandatory for services offered by private entities. Rahul Bhatia, a journalist in Mumbai, wrote for the New York Times, “The government argued that Aadhaar enabled it to subvert fraud in the delivery of welfare, curb money laundering, thwart terrorism and achieve efficiency. But these justifications did not convincingly explain why Aadhaar was demanded by schools, colleges, hospitals and insurance companies.”

In lone dissent, Justice Dhananjaya Y. Chandrachud, who rose to prominence for establishing a fundamental right to privacy for Indians in a landmark Supreme Court ruling just last year, spoke directly to issues of data protection and the right to privacy, writing, “The state has failed to satisfy this court that the targeted delivery of subsidies which animate the right to life entails a necessary sacrifice of the right to individual autonomy, data protection and dignity,” and that “this is contrary to the right to privacy and poses severe threats due to potential surveillance.”

Social Effects

In response to the controversy, the Modi government launched a campaign positioning the system, and its invasive data collection and usage, as patriotic and necessary for the economic development of the country, as the negative second-order effects were dismissed as necessary evils or ignored altogether.

As Aadhaar has expanded, focus has been placed on the use of system to help streamline the administration of welfare benefits and reduce fraud in government programs, which often comes with the unintended effect of also preventing those in need from getting access to benefits simply because they live in rural areas that don’t have access to the systems necessary for enrollment.

As a result, millions of the rural poor, many of whom don’t have access to basic infrastructure such as electricity and internet, are now at risk of losing access to food, pensions, and other welfare benefits necessary for survival. It was reported that, after the government made Aadhaar verification mandatory for food rations, more than 25 Indians died from starvation as a result of Aadhaar related issues.

In a survey conducted by economists about the effects of Aadhaar on food security, titled “Aadhaar and Food Security in Jharkhand,” it was found that “households that failed to obtain any grain at all was five times higher in villages where authentication was compulsory (20 percent) than in those where it was not (4 percent).” Researchers also found little evidence of identity fraud in welfare programs regardless of the presence of Aadhaar or not, while reporting no measurable difference in levels of corruption.

While the system does have its tangible benefits, such as providing millions of Indians who were previously unable to prove who they were with standardized identification and allowing banks and other private companies to quickly verify customer identity, in a society where so many still lack access to basic infrastructure the social effects of a government mandated identity to access services can be calamitous.

Security Meltdown

Given the vast scope of the Aadhaar program, and the ever-increasing ambition of the Modi government and the Unique Identification Authority of India, protecting the privacy of citizens and data of over one billion people is of paramount concern. And here the Indian government has failed, spectacularly.

In March 2017, four government websites exposed 130 million Aadhaar numbers along with linked information, including bank and post office account details, in what was referred to as a “Mega Aadhaar Leak.” A month earlier, information on up to 600,000 children was exposed. In April, the Jharkhand Directorate of Social Security leaked information on another 1 million residents. Just a few months later, in November, an additional 210 government websites were found to be publicly displaying Aadhaar data such as names, addresses, and Aadhaar numbers.

In an investigation conducted by the Tribune in January, it was discovered that information on more than one billion Aadhaar users could be had for as little as 500 rupees (approximately $7) on WhatsApp. Once payment was made, the Tribune was given access to an official portal that allowed them to enter an Aadhaar number and instantly get access to the user’s name, address, postal code, photo, phone number, and email address. For an additional 300 rupees they could get an Aadhaar card printed for a specified number. The WhatsApp scheme had been ongoing for months.

And leaks just kept coming. In March 2018, a security researcher discovered a data leak from Indane, a state-owned gas company, allowing anyone with basic technical ability to access personal information on any Aadhaar user, including their name, unique 12-digit number, utility account number, connected bank accounts, and more. After Karan Saini, the Indian security researcher who discovered the leak, and ZDNet tried contacting UIDAI authorities to alert them to the issue no action was taken and the security vulnerability persisted until the story was published more than three weeks later.

In response to the report, the UIDAI denied the vulnerability, saying “there is no truth in this story.” UIDAI displaced the blame onto Indane, even though Indane is itself a state-owned enterprise. Following the incident, Rahul Bhatia wrote for the New York Times, “Every week brings new revelations about the considerable gaps in India’s digital infrastructure. Compounding the anxieties is the failure of the Indian government agencies to act on these findings when alerted by researchers.” In the wake of continued revelations, multiple researchers and journalists came forward with allegations of government harassment and criminal charges stemming from their reporting on Aadhaar vulnerabilities.

Despite claims that past leaks have been shored up, the website of the Andhra Pradesh government, one of the four discovered to be exposing Aadhaar numbers early last year, was still exposing phone numbers, Aadhaar numbers, names, bank account numbers, and passbook numbers as late as September of this year. Anyone with the mobile phone number of someone in the database could search that number on Google and be given results that linked directly to database records on the Andhra government website. Exposed data contained personal information on 23,000 farmers who received subsidies from the Andhra Pradesh government.

Speaking to the Huffington Post, security researcher Sai Krishna Kothapalli said Aadhaar’s weaknesses were a result of their not being enough Indian security experts providing support to government agencies. “The US Department of Defense and others have a responsible disclosure program and a lot of people from India take part in that. Our talent is being used by them instead because the government here does not reply at all,” said Kothapalli. Security experts have also pointed to the lack of government bug bounty programs to incentivize the finding and reporting of vulnerabilities.

The UIDAI has stood steadfast by its claim that no biometric data has been compromised since Aadhaar’s inception, and that without that data, which is used for authentication, hackers are unable to hijack identities. Even so, leaked data associated with Aadhaar has put hundreds of millions of Indian citizens and residents at increased risk of identity fraud and compromised bank account information could lead to significant financial damages.

Reports of stolen or fraudulent Aadhaar numbers being used to withdraw money from people’s bank accounts have become commonplace, and more than a handful of Indians have found their Aadhaar numbers being linked to SIM cards that aren’t even theirs. Airtel, an Indian telecom, has also been accused of opening bank accounts for customers without obtaining their consent when performing Aadhaar-based SIM verification. To make matters worse, revelations of a software patch that enables hackers to create Aadhaar numbers at will has thrown the credibility of the entire system in doubt.

Authenticity of Data Compromised

An investigation by HuffPost India revealed in September that hackers were able to develop a software patch that “disables critical security features of the software used to enroll new Aadhaar users.” The ability for unauthorized users to create fraudulent identities immediately put the authenticity of all Aadhaar numbers in doubt, and potentially renders mute purported claims that the system will help reduce corruption, money laundering, and fraud. The patch, available for as little as 2,500 rupees (approximately $35) was still in widespread use at the time of the report.

Three security experts analyzed the patch and found that it allows a user to: bypass biometric authentication of enrollment operators; create unauthorized Aadhaar numbers; disable geolocation security features, making it possible for anyone regardless of location to enroll new users; reduce the precision of the iris-recognition system, making it easier to trick the program into accepting photographs of operators.

Speaking to how centralized databases that store data on a massive number of people present highly rewarding targets, Gustaf Bjorksten, Chief Technologist at Access Now, said, “There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile. To have any hope of securing Aadhaar, the system would have to be radically changed.”

Experts pointed out that the vulnerability stems from a decision made in 2010 by the UIDAI to allow private agencies to enroll users in the Aadhaar system. While private third-parties allowed the government to rapidly enroll hundreds of millions of residents within just a few short years in order to meet publicly announced goals, it also left open gaping security holes and led to serious accusations of system misuse by enrollment operators. As a result, the UIDAI terminated its contracts with all Common Service Centers in February 2018 and choked down Aadhaar enrollment to authorized banks and government institutions.

Broken Identity Systems

India suffers from the same problems as many other governments around the world, including the United States, where large populations lack a wealth of documentation to prove who they say they are and systems have been put to use for purposes they were never intended for. An attempt to document citizens and residents through the development and implementation of government-sponsored digital identity initiatives must take into account the potential ramifications of the program on those who find themselves on the fringes of society, as well as hold the right to privacy and data protection in the highest esteem.

By trying to extend Aadhaar to services it was never intended for, the Indian government has compromised the entire project, opening itself up to an increase in intrusions and backlash from its citizenry. While the Indian government attempts to vacuum up as much data as it can get its hands on it, it seems incapable of protecting it. Gross negligence and lack of transparency on the part of the UIDAI, and its handling of privacy and security concerns, which so far has amounted to nothing more than denial of vulnerabilities and legal action against critics, does not inspire confidence in the system moving forward.

As Reetika Khera, a development economist at the Indian Institute of Technology in Dehli, writes, “Aadhaar was supposed to showcase the government’s forward thinking about efficient administration; it has only exposed the state’s coerciveness. It was supposed to ease the poor’s access to welfare; it has hurt the neediest. It was supposed to harness technology in the service of development; it has made people’s personal data vulnerable.”

Just as large corporations have proved successful at evading accountability for failing to protect data, government agencies have yet to bear responsibility for their failures as well. Broken government-sponsored national identity systems pose both a massive risk to sensitive personal data and to the privacy and autonomy of their citizens. As for India, the Supreme Court, for now, has proved to be the critical check on the aspirations of the Indian government, affirming the right to informational privacy and preventing Aadhaar from further encroachment on the lives of its citizens.