Is it Safe to Have an Aadhaar Number?

Tales from the Encrypted

Is it Safe to Have an Aadhaar Number?

Illustration: Saachi Mehta/ Arré

In the Hollywood-flavoured musical adaptation of Victor Hugo’s Les Misérables, the protagonist Jean Valjean bursts into a courtroom, belting out in an awkward baritone: “Who am I? Two-Four-Six-Oh-One!”

Valjean, formerly prisoner 24601, had stolen a loaf of bread to feed his widowed sister’s starving children, only to end up serving 19 years in prison for his misdeeds. His captor, the ruthless inspector Javert, had arrested a man bearing a striking resemblance to Valjean, seeking to imprison him once more for violating parole. But Valjean altruistically saves him by revealing his identity to the court.

In many ways, India in 2017 bears a strong resemblance to the 19th century France depicted in Les Misérables, arguably in terms of impoverishment, law enforcement incompetence and an obsession with long, repetitive musical interludes, as evidenced by the average Bollywood blockbuster. But there’s also another disturbing similarity – a 12-digit Aadhaar number that resembles the 19th century numeric branding of inmates depicted by Hugo.

One of the most controversial aspects of the Aadhaar number is its association with several pieces of biometric data of its corresponding resident, including all 10 fingerprints and a high-resolution scan of the retina of both eyes. Given the unlikelihood of getting a new set of fingerprints or retinas, the Aadhaar number is irrevocably bound to its owner, along with other key demographic data such as gender, address, date of birth, email, and phone number. Once the system nears 100 per cent coverage, the Aadhaar database will be the single largest repository of demographic and biometric information in the world.

Naturally, the mere existence of a behemoth of this nature has sent shockwaves of concern for privacy, misuse, and abuse of power among privacy advocates and technologically-savvy communities across the country. To many, given the government’s track record at all things technology related, coupled with widespread reports of corruption and malfeasance, the question of this data falling into the wrong hands, is somewhat redundant.

A review of the technology behind Aadhaar, however, is promising. Its overall architecture is sound, scalable, robust, and takes several reasonable steps to ensure security and privacy of data, isolating it completely from third party agencies, and utilising military grade encryption to minimise the possibility of misuse. Aadhaar’s systems merely respond with a “Yes” or “No” to any query, and are built to verify the authenticity of a person’s claim to identity. Verification of this further requires confirmation by the resident via SMS or biometric data, thus ensuring that third parties require the express consent of the Aadhaar cardholder to furnish their data.

Despite these safeguards, the technological accomplishments of Aadhaar’s architects are not infallible as far as the system’s human-dependent processes are concerned. Several embarrassing cases have revealed cracks in the Aadhaar enrollment processes. A Kerala resident successfully managed to thwart the system into issuing him two Aadhaar cards, by simply appearing twice for enrollment. In other separate, and somewhat hilarious incidents over 2013-14, a tree, a chair, a dog, and “Hanuman”, were each issued Aadhaar cards, in what were termed to be cases of “operator error” by UIDAI officials. Having watched the Aadhaar enrollment team members type my name and address into the system at a dazzling 10 words per minute, punctuated by phone calls and visits to the restroom, I can’t say I’m surprised. In May last year, more disturbingly, a Jaish-e-Mohammed terrorist was apprehended in Pakistan-occupied Kashmir with a forged Aadhaar card in his possession.

In principle, the merits of Aadhaar as an identity platform in the Indian context are potentially immeasurable. However, the scope for abuse is perhaps equally so. Simply put, if the government were to do something nefarious, such as conduct surveillance operations on members of the opposition, the absence of a watchdog organisation, or third party civilian oversight committee, renders the likelihood of this to be a simple matter of chutzpah. This would also require a handful of high-level co-conspirators within the UIDAI itself.

Processes for oversight, watchdog mechanisms and safeguards to prevent against these Orwellian catastrophes are sketchy at best, and the unbridled apathy of the general population toward important issues of our time, such as the right to privacy in a digital age, only serve to make matters worse.

Other less likely doomsday scenarios include the data falling into the hands of criminals, either through leaks from within the UIDAI, or infiltration of their data centres. The latter would arguably be a daunting task, going by the sheer volume of data to sift through. The data runs into several petabytes (1 petabyte = 1024 terabytes) due to India’s enormous population.

Additionally, technology is poised to reach a stage within the next decade where high-speed cameras and imaging equipment will be able to photograph and track the human retina from a reasonable distance, thereby enabling Aadhaar to potentially form the foundation for a nationwide big-brother style tracking system, in which every CCTV camera in the country could track the movements of any resident in the country.

The rising popularity of biometrics as a means of identification and authentication will also likely preempt a new age of identity theft devices that seek to steal fingerprint and retina data from residents, and perhaps have the unintended consequence of making gloves and sunglasses quite fashionable.

Today, attitudes toward keeping Aadhaar numbers private are almost non-existent. Applying for a passport, internet connection, bank account or a slew of other services enable one to provide proof of identity via Aadhaar, thereby exposing one’s Aadhaar number and invariably one’s fingerprints to KYC executives, salesmen, etc. The IRCTC website was recently compromised with over 1 lakh names. Aadhaar numbers were reportedly leaked online, revealing the liability of the third parties entrusted to store them securely. Unlike passwords, PAN cards, or passports, neither the Aadhaar number nor fingerprint can be changed, leaving victims of Aadhaar identity theft in a state of perpetual compromise. In many cases, the Aadhaar authentication platform requires only these two pieces of data (biometrics + number) to complete various transactions including the withdrawal of funds in certain types of bank accounts.

In December 2015, a mass shooting and attempted bombing in San Bernadino, California, led to a contentious debate in the United States over a citizen’s fundamental right to privacy. Apple Inc refused to cooperate with an FBI investigation that had requested “backdoor access” to the suspected terrorist’s iPhone. Apple had refused on principle, but would we be prepared, as a society, to have an enlightened discussion on the nature of privacy the next time there’s an attack on Indian soil? Furthermore, while biometric data is a reasonable way of confirming a person’s identity, it is significantly less impressive at searching a database for a fingerprint match (despite what TV shows may have you believe). A partial match might yield 5,000 matches within the system, turning 4,999 innocents into potential terror suspects, at the mercy of various draconian anti-terrorism legislations, or worse, the discretionary powers of the state during a time of emergency.

Processes for oversight, watchdog mechanisms and safeguards to prevent against these Orwellian catastrophes are sketchy at best, and the unbridled apathy of the general population toward important issues of our time, such as the right to privacy in a digital age, only serve to make matters worse. The Supreme Court has thus far upheld the view that the UIDAI is not required to share biometric data with law enforcement agencies to probe criminal cases. However, the same court once controversially held that its verdicts needed to “satisfy the collective conscience of the country”.

As I sit here haunted by the echoes of “anti-national” and “terrorist sympathiser” fading away into silence from the last time this country tried to, rather unceremoniously, have a national debate about a controversial subject (the death penalty), I wonder if it is perhaps time for us to speak now, or forever hold our peace.

This post is sponsored by Palo Alto Networks.

This article was published earlier on June 9, 2016