Aadhaar Data Leaks: How Secure is the World`s Largest

Biometric Database?

ABSTRACT

This case discusses the security concerns over the Aadhaar card, a

national identity project launched by the Government of India (GoI),

which seeks to collect biometric and demographic data of residents of

India and store this data in a centralized database. Aadhaar is a 12-

digit unique identification number issued to the people of India for

their unique identification. It is issued by the Unique Identification

Authority of India (UIDAI). Using Aadhaar, a person’s identity can

be certified and authenticated in an easy and cost effective way.

Aadhaar has been linked to many GoI welfare schemes and is used as

identity proof to open a bank account, get a passport, etc. However,

there have been substantial deliberations over the privacy and security

issues related to the Aadhaar project. Aadhaar is considered to be

prone to possible system hacks, insider leaks, and tampering of

authentication records and audit trails in the absence of proper

security policies. There have been reports of Aadhaar breach in

different regions of India and people are sceptical about its security.
Even though the GoI is taking a lot of measures to safeguard Aadhaar

data, there is a lot to be done to enhance the safekeeping of the data. .

Issues
The case is structured to achieve the following teaching

objectives:
 Analyze the significance of Aadhaar for Indian

citizens.

 Understand how Aadhaar functions as a link to

GoI schemes for people.

 Explore different possibilities of a breach to

hack Aadhaar data.

 Analyze how the GoI can strengthen its

security measures to safeguard the Aadhaar

data.

KEYWORDS
 Cyber Security

 Management Information System (MIS)

 E-governance

 Data Security

 Information System Security

 Data breach,UIDAI

INTRODUCTION TO THE COMPANY

Aadhaar (English: Foundation) is a 12-digit unique identity number

that can be obtained by residents of India, based on their biometric

and demographic data. The data is collected by the Unique

Identification Authority of India (UIDAI), a statutory authority

established in January 2009 by the government of India, under the

jurisdiction of the Ministry of Electronics and Information

Technology, following the provisions of the Aadhaar (Targeted

Delivery of Financial and other Subsidies, benefits and services) Act,

2016.

Aadhaar is the world's largest biometric ID system. World Bank Chief

Economist Paul Romer described Aadhaar as "the most sophisticated

ID programme in the world".Considered a proof of residence and not

a proof of citizenship, Aadhaar does not itself grant any rights to

domicile in India. In June 2017 the Home Ministry clarified that

Aadhaar is not a valid identification document for Indians travelling

to Nepal and Bhutan.

Prior to the enactment of the Act, the UIDAI functioned, since

28 January 2009, as an attached office of the Planning Commission

(now NITI Aayog). On 3 March 2016 a money bill was introduced in

the Parliament to give legislative backing to Aadhaar. On 11 March

2016 the Aadhaar (Targeted Delivery of Financial and other

Subsidies, benefits and services) Act, 2016, was passed in the Lok

Sabha.

Aadhaar is the subject of several rulings by the Supreme Court of

India. On 23 September 2013 the Supreme Court issued an interim

order saying that "no person should suffer for not getting

Aadhaar",adding that the government cannot deny a service to a

resident who does not possess Aadhaar, as it is voluntary and not

mandatory. The court also limited the scope of the program and

reaffirmed the voluntary nature of the identity number in other

rulings. On 24 August 2017 the Indian Supreme Court delivered a

landmark verdict affirming the right to privacy as a fundamental right,

overruling previous judgments on the issue. A five-judge

constitutional bench of the Supreme Court is hearing various cases

relating to the validity of Aadhaaron various grounds including

privacy, surveillance, and exclusion from welfare benefits. On

9 January 2017 the five-judge Constitution bench of the Supreme

Court of India reserved its judgement on the interim relief sought by

petitions to extend the deadline making Aadhaar mandatory for

everything from bank accounts to mobile services. The court said that

the final hearing for the extension of Aadhaar Linking Deadlines will

start on 17 January 2018. In September 2018, the top court upheld the

validity of the Aadhaar system. In the September 2018 judgment, the

Supreme Court nevertheless stipulated that the Aadhaar card is not

mandatory for opening bank accounts, getting a mobile number, or

being admitted to a school. Some civil liberty groups such as the

Citizens Forum for Civil Liberties and the Indian Social Action

Forum (INSAF) have also opposed the project over privacy concerns.

Despite the validity of Aadhaar being challenged in the court, the

central government has pushed citizens to link their Aadhaar numbers

with a host of services, including mobile sim cards, bank accounts,

the Employee Provident Fund, and a large number of welfare schemes

including but not limited to the Mahatma Gandhi National Rural

Employment Guarantee Act, the Public Distribution System, and old

age pensions. Recent reports suggest that HIV patients have been

forced to discontinue treatment for fear of identity breach as access to

the treatment has become contingent on producing Aadhaar.

The Unique Identification Authority of India (UIDAI) is a statutory

authority and a government department, established on 12 July 2016

by the Government of India under the jurisdiction of the Ministry of

Electronics and Information Technology, following the provisions of

the Aadhaar Act 2016.

The UIDAI is mandated to assign a 12-digit unique identification

(UID) number (termed "Aadhaar") to all the residents of India. The

implementation of the UID scheme entails generation and assignment

of UIDs to residents; defining mechanisms and processes for

interlinking UIDs with partner databases; operation and management

of all stages of the UID life cycle; framing policies and procedures for

updating mechanism and defining usage and applicability of UIDs for

delivery of various services, among others. The number is linked to

the resident's basic demographic and biometric information such as a

photograph, ten fingerprints and two iris scans, which are stored in a

centralized database.

The UIDAI was initially set up by the Government of India in January

2009, as an attached office under the aegis of the Planning

Commission via a notification in the Gazette of India. According to

the notification, the UIDAI was given the responsibility to lay down

plans and policies to implement the UID scheme, to own and operate

the UID database, and to be responsible for its updating and

maintenance on an ongoing basis.

The UIDAI data centre is located at the Industrial Model Township

(IMT), Manesar, which was inaugurated by the then Chief Minister of

Haryana Bhupinder Singh Hooda on 7 January 2013. Aadhaar data is

kept in about 7,000 servers in Bengaluru and Manesar.

Starting with the issuing of the first UID in September 2010, the

UIDAI has been aiming to issue an Aadhaar number to all the

residents ensuring that it is robust enough to eliminate duplicate and

fake identities, and that the number can be verified and authenticated

in an easy and cost-effective way online anywhere, anytime. In a

notification dated 16 December 2010 the Government of India

indicated that it would recognise a letter issued by the UIDAI

containing details of name, address, and Aadhaar number, as an

official, valid document. Aadhaar is not intended to replace any

existing identity cards, nor does it constitute proof of citizenship.

Aadhaar neither confers citizenship nor guarantees rights, benefits, or

entitlements. Aadhaar is a random number that never starts with a 0 or

1, and is not loaded with profiling or intelligence that would make it

insusceptible to fraud or theft, and thus provides a measure of privacy

in this regard. The unique ID also qualifies as a valid ID while

availing various government services such as a LPG connection, a

subsidised ration, kerosene from the PDS, or benefits under NSAP or

pension schemes, e-sign, a digital locker,[40] a Universal Account

Number (UAN) under EPFO, and some other services such as a SIM

card or opening a bank account. According to the UIDAI website, any

Aadhaar holder or service provider can verify the genuineness of an

Aadhaar number through a user-friendly service of UIDAI called the

Aadhaar Verification Service (AVS), which is available on its

website. Also, a resident already enrolled under the National

Population Register is not required to enrol again for Aadhaar.

INTRODUCTION TO CASE

In March 2018, the Intelligence Bureau (IB) reportedly informed The

Ministry of Labour and Employment of India that private data from

one of the Aadhaar seeding portals of the Employees Provident Fund

Organisation (EPFO) had been stolen by hackers, leading to a

shutdown of the facility a month earlier. The data theft was from the

EPFO’s web portal, which helped subscribers link their provident

fund accounts with their Aadhaar numbers. In a note to Dinesh Tyagi,

chief executive officer (CEO) at Common Service Centre (CSC)

which was dealing with the Aadhaar seeding application, EPFO

Commissioner V P Joy (Joy) wrote, “It has been intimated that the

data has been stolen by hackers by exploiting the vulnerabilities in the

website (aadhaar.epfoservices.com) of EPFO. The web portal has

been closed one-and-a-half months back immediately after the

possible data theft was reported to us during a process of routine

security check. There was some problem in the application run by

CSC and it is not related to our data centre that maintains the EPF

accounts.” However, the Unique Identification Authority of India

(UIDAI) said that the website on which the data breach had allegedly

taken place did not belong to it. The Kargil Review Committee

(KRC) was established by the GoI in 1999 to review the state of

national security in India in the wake of Pakistani intrusions into

Kargil, on the Indian side of the border between the two countries.

The KRC recommended the issue of “Multi-purpose National

Identity” cards to the villagers living in conflict zones near Kargil to

identify the civilians. Subsequently, it was decided that this scheme

would be extended to cover all the citizens of India. This was the

originating point of Aadhaar. The main purpose for the expansion of

the scheme was to safeguard the welfare of citizens by enabling them

to access various government schemes through a single identification

document. The decision to extend the scheme led to the establishment

of a dedicated institution for rolling out UIDAI on January 28, 2009.

AADHAAR MODEL
UIDAI was accountable for providing the basic identification and
authentication services of the user. It provided a unique identifier

(Aadhaar number) to each resident and stored their biometric and

demographic data in a CIDR (See Exhibit I). The UIDAI managed

the CIDR and provided identification and authentication services

with yes/no answers. An Authentication User Agency (AUA)

provided services to users that were successfully authenticated.

Thus, an AUA connected to the CIDR and used Aadhaar

authentication to validate a user and support its services. The AUAs

might be banks.
SECURITY CONCERNS
Some analysts raised concerns about the underlying vulnerability of

Aadhaar data (See Exhibit II). According to them, the Aadhaar

number by itself would not reveal any information. But when it was

linked with the mobile number, bank account, driver’s license, and

PAN, the combined information could reveal the profile of the

individual. Analysts felt that security and privacy issues could occur

at several stages in the Aadhaar lifecycle. For instance, these issues

might happen during the collection, transmission, and storage of

Aadhaar details in the centralized database.

 EVALUATION CRETERIA

During the budget presentation on 29 February 2016, Jaitley

announced that a bill would be introduced within a week to provide

legislative support to the Aadhaar project. On 3 March 2016 the

Aadhaar (Targeted Delivery of Financial and Other Subsidies,

Benefits and Services) Bill, 2016, was introduced in the Parliament as

a money bill by Jaitley. The decision to introduce it as a money bill

was criticised by the opposition parties. Ghulam Nabi Azad, an INC

leader, wrote in a letter to the Jaitley that the ruling party, the BJP,

was attempting to bypass the Rajya Sabha, as they did not have the

majority in the upper house. A money bill is only required to pass in

the lower house Lok Sabha. Tathagata Satpathy of Biju Janata Dal

(BJD) raised concerns that the project could be used for mass

surveillance or ethnic cleansing in the future.

On 11 March 2016 the Aadhaar (Targeted Delivery of Financial and

other Subsidies, benefits and services) Act, 2016, was passed in the

Lok Sabha. During the Rajya Sabha debate on 16 March, Sitaram

Yechury of the CPI-M said that bill should not have been passed

when the issue of the right to privacy was still in the Supreme Court.

On 16 March 2016 the bill was returned to the Lok Sabha by the

Rajya Sabha with some suggested amendments, which the Lok Sabha

promptly rejected.

The Unique Identification Authority of India (UIDAI) introduces

Face Authentication to further strengthen Aadhar security. It decided

to enable 'Face Authentication' in fusion mode on registered devices

by 1 July 2018, so that people facing difficulties in other existing

mode of verification such as iris, fingerprints and One Time Password

(OTP) could easily authenticate.

 CONCLUSION

There were several allegations about the breach of Aadhaar data. For

instance, if an operator saved a copy of a user’s biometric fingerprints

on his computer, he could transact on the user’s behalf by replaying

the fingerprint stored on his computer. On February 11, 2017, a

YouTube clip illustrating such a replay attack was leaked online. On

February 24, 2017, UIDAI filed a criminal complaint, alleging that an

employee of Suvidhaa Infoserve Pvt. Ltd had used Axis Bank’s

gateway to UIDAI’s servers to conduct 397 biometric transactions

between July 2016 and February 2017 using a stored fingerprint.

Though there might be several prevailing concerns over data security,

analysts felt that these could not offset the benefits Aadhaar had to

offer. In addition, one could not completely overlook the GoI’s efforts

to make Aadhaar more secure. All the technical anomalies that were

exposed were being instantly taken care of by the UIDAI.

 REFERENCES

1. "About UIDAI". UIDAI. Retrieved 25 July 2017.

2. "UIDAI Finance and Budge Section". UIDAI. Retrieved 29

May 2018.

3. "Aadhaar Dashboard". UIDAI. Retrieved 22 July 2018.

4. Doshi, Vidhi (26 September 2018). "India's top court upholds

world's largest biometric ID program, within limits".

Washington Post.

5. "'Adhaar' most sophisticated ID programme in the world :

World Bank". Daiji World. Retrieved 17 March 2017.

6. "Aadhaar Card not proof of citizenship: Calcutta HC".

Retrieved 4 March 2017.

7. "Aadhaar not valid for Indians travelling to Nepal, Bhutan:

Home Ministry". Retrieved 25 June 2017.

8. "Aadhaar legislation tabled as a money Bill". The Hindu

Business Line. 3 March 2016.

9. "Aadhaar bill passed in Lok Sabha". Live Mint. 11 March 2016.

Retrieved 11 March 2016.