Aadhaar and UIDAI are being hotly debated for quite some time now following a reported death due to starvation for denial of food grains under National Food Security Act (NFSA) in Jharkhand for the want of Aadhaar and reports of breach of Aadhaar data security system in Tribune. Now, a pointed query by a bench of Supreme Court regarding issue of Aadhaar cards to 1.77 million homeless people is bound to increase focus on this subject. So far the government and UIDAI have been in some sort of denial mode on these pertinent issues.
India will never be an advanced economy till such time it has a social security system where the poor, disabled, and unemployed can share in the country’s social capital. Australia and other European economies are rated as advanced economies only because every citizen has shares in the nation’s wealth whether he/she earns by employment, investment, or given a sustainable dole if for circumstances beyond their control cannot earn. You call this a civilised and compassionate society. GST and the Aadhaar are both incomplete without a social security system. The government has a responsibility to care for its people.
The biggest flaw was that it hoped to use biometric authentication. That should have been kept just to identification, or verification and not authentication. Countries like Germany have already tried it. I have nothing against biometrics being captured by the government, in fact cops should have access to it and so should immigration officials.
The parameters required to successfully authenticate can be easily faked or stolen or duplicated, or damaged or change with age and time.
Hacker fakes German minister’s fingerprints using photos of her hands. If the intention was to just have a comprehensive biometric database, it is ok, but if the objective was to create an authentication mechanism, it is flawed to use any static data – including fingerprints, UIDs and RSA keys, that can easily be “spoofed” or stolen. Keys of course can be changed dynamic mechanisms like OTP or RSA secure ID that are better suited for the authentication part.
You will never know if your fingerprints are stolen, but you will know if your mobile or secure id is stolen and inform relevant authorities.
You can change your password if once compromised, but not your fingerprints or biometrics. The second token should always reside on a device different from the transacting device and there should be no common accessibility across them except by the end user. After the Aadhaar card is implemented completely and is in proper force, you have a problem with verification and your data for some reason is locked out. How will you resolve it? How will you fight a case and prove it’s you when any case in the India. Law system takes years to resolve? There are many more examples like this to consider.
India is not ready for something like an Aadhaar system right now. Our digital security is not robust, our laws are not strong and justice isn’t delivered fast enough, our people are too corrupt, people with little knowledge and education, mostly run government nationwide. The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication” – any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajaratnam in prison. There was nothing in the payload i.e. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralised authentication by multiple entities and therefore eliminates the need for a centralised transaction database.
Also, we need to educate people on the risks involved, and highlight examples of ID thefts and fraud. We have a multiplicity of laws, which overlap. Our IT laws have to be modernised and we have to put the liability on the company handling the data so that it is not stolen or shared without consent. This century comes with certain risks. If we want a risk-free environment, as extreme as it may sound, we have the option to go back to the Stone Age. It is like saying ban cars as driving has become risky. Cars are essential and we create road safety norms to mitigate their risk. Similarly, we need to take a level-headed approach and ensure that ample safeguards are put in place for data protection and privacy. Because, UIDAI claim of foolproof is exposed by it.
Data breached and damage done beyond repair. Data may be in many hands by now and may be misused. Virtual Id is an uphill task for common man/non techies. There are many illiterate persons who still depend on others to fill bank challans, how do they generate Virtual ID? Having admitted to the breach, UIDAI should immediately withhold Aadhaar until the system is foolproof or suggest the government to issue necessary orders to not make Aadhaar mandatory until foolproof system is in place. Generating Virtual IDs is no guarantee that authentication frauds cannot take place. Even today, a simple search on Google provides one with more than 200 Aadhaar numbers. If hackers have an Aadhaar number, it is very easy to create a Virtual ID using it. Also, this still does not mitigate the dangers of storing sensitive data of over a billion people in a centralised database. BJP government rushed on imposing Aadhaar card on common man without a proper plan or fool proof security backup, they did not give a thought to those underprivileged and homeless citizens of country, they have denied their right to live if no Aadhaar card; even death of a person will go unregistered if he/she dies without Aadhaar. Day by day, the life is becoming difficult for common citizen, it’s high time government should come up with some solutions.
(Any suggestions, comments or dispute with regards to this article send us on [email protected])