Aadhaar: a project replete with tech glitches and errors

Among the measures taken to protect the Aadhaar database is a 13-feet-high wall that is 5 feet thick, KK Venugopal, Attorney General of India, told the five judge bench in the Supreme Court hearings on the constitutional challenge to Aadhaar. The UIDAI has told the Supreme Court that the Aadhaar Act had already been framed with privacy in mind. At another time, they have also argued that citizens did not have a right to privacy before the privacy judgment was passed.

The UIDAI CEO submitted before the Supreme Court the authentication log that made it clear that he has disabled biometric authentication for his own Aadhaar. Given that the UIDAI headquarters has AEBAS - Aadhaar Enabled Biometric Attendance System, the log also proves that the CEO of UIDAI bypasses the system to get to office. All government servants are required to mark attendance. The CEO of UIDAI doesn’t. The official Twitter handle of UIDAI has recommended people to keep their Aadhaar number secret as well as said that it could be freely shared as needed. Such contradictions are routine with Aadhaar. Having an Aadhaar is voluntary and mandatory at the same time.

Aadhaar is a project that should never have left the testing phase. It is a grand idea - an easy “solution” for a universal ID that is verifiable, indestructible and can be used “everywhere” to end “all” identification problems in one swoop, an ID that is secured by something unique to the person. In practice, such an idea does not coexist well with reality, as is seen from the self-contradictory statements from the UIDAI and the government over time.

The evolution of Aadhaar

Aadhaar began as a simple authentication of an individual that could be verified with biometrics. With official documents like a passport or election card that provided proof of identity as well as address, and PAN that was proof of identity, there was no reason for widespread adoption of Aadhaar which, at that point was neither a document nor had any basis in law. Aadhaar needed to become a one step answer to KYC, so on the fly, Aadhaar became a proof of address as well. UIDAI has no means to verify addresses provided when creating an Aadhaar and considers this to be the responsibility of enrolment agencies with no oversight, but the fees per enrolment do not appear to budget for verification of documents in person. Regardless of this serious flaw, Aadhaar was declared a proof of address and, when adoption was still reluctant, was made mandatory for the continued use of crucial services like rations, government pensions, school admissions, examination attendance, claiming life insurance, owning mobile SIMs and bank accounts. To give Aadhaar credibility, it was made acceptable as proof of address and identity for creating passports, opening a clear path for illegal immigrants and other foreign actors to assume de facto citizenship of India by holding an Indian passport. Foreigners who reside in India for six months are required to get an Aadhaar! This “ease” of verification using an unverified proof of identity has become a selling point that ‘saves’ services money spent on verification. Businesses profit from use of their services regardless of whether the use is legitimate or criminal. They can save money on compliance with KYC norms by adopting a cheap solution the government itself is promoting. The system STILL has serious vulnerabilities and data unreliability nine years later but that ubiquitous number is attached to every significant interaction with the government or large corporations, regardless.

CONVENIENT, BUT IMPRACTICAL SECURITY

Unlike a password, fingerprints or the iris cannot be revoked. Unlike most digital accounts, an Aadhaar number cannot be closed or changed. The use of biometrics to secure data associated with a number that also cannot be changed leaves the data attached to a compromised Aadhaar permanently insecure.

INAPPROPRIATE TECHNOLOGY

In a country the size of India, an “acceptable” identification success rate would still have to be above 99.9% for any technology to be considered reliable. One per cent of a country of a billion people is still 10 million people and bigger than many other countries. Even 0.1% would still be over a million! Failure rates as high as those in the use of Aadhaar haveno business being in live deployment.

INAPPROPRIATE METHOD OF AUTHENTICATION FOR PURPOSE

It is not the “fault” of the system. The system is operating as designed. The fault is in the design. For an application that must consistently identify a person and reject impersonation, a probabilistic method is not appropriate. The method of authentication should be one that cannot make mistakes in normal operation. Verification emails, passwords, two-factor authentications are pretty much the standard on the Internet. It is because they work consistently as long as the system is secure. When you see an official handle make a tweet, you know it is authentic, and if the handle gets hacked due to some lapse, there are immediate steps to secure it. There is no “probably” about it. The post is authentic or removed. In contrast, no two fingerprints are exactly alike, even when by thesame person, at the same time, one after the other. Whether two fingerprints are recognised to be the same will depend on how much difference between the two is accepted by the system. Too little and valid fingerprints will be rejected because of slight variations. Too much and invalid fingerprints will be accepted if they are similar enough. The result of biometric authentication is - “this is probably the person they claim to be” - not at all good when you consider that it is the basis to get bank accounts, PAN cards, passports, government welfare, and more. The opposite “this is probably not the person they claim to be” has proved catastrophic when desperately poor people have been denied welfare because of that “probably”.

IRRESPONSIBLE DEPLOYMENT

Way before Aadhaar was ready for deployment with sensitive data on a massive scale - it still isn’t - it was rolled out. Even as cases objecting to Aadhaar stagnated in the Supreme Court for years, the government openly flouted the Supreme Court’s orders that Aadhaar cannot be made mandatory, made false claims on behalf of the Supreme Court and access to an increasing number of necessities became conditional to Aadhaar.

One reason for this could be that the government realised too late that they had spent a lot of public funds on a project that could not be fixed without changing it fundamentally and the only way to evade accountability was to create an illusion of success by making the project too big to fail. Another reason could be that the big data business interests driving the project wanted the data of every Indian - willing or not. The citizens and the country will end up paying the cost of this reckless proliferation. When dying people and women about to deliver babies are unable to access medical attention in a hospital due to lack of an Aadhaar, you know there is something inherently inhuman about the project. Even outright enemies injured in war are to be given medical treatment according to the Geneva convention, but the government, under the pretext of preventing “leakages”, requires an Aadhaar to ensure medical treatment of its own people. What leakages are there in ill people needing medical assistance? Can an Aadhaar prove that a person claiming to be ill is really ill? Who is responsible for the endangered doctors and hospital staff at the hands of irate relatives if a patient dies due to treatment being refused for lack of Aadhaar? Fear is a powerful motivator. The more necessities are attached to Aadhaar, the more people are forced to adopt it. This is not a government representing the people’s interests, as implied by a democracy and elected representatives. This is a government intimidating the people in order to impose their preference.

INADEQUATE DATA SANITISATION

Test data is in the Aadhaar database. Data from accounts created in a time of blatant corruption of the enrolment process is there in the Aadhaar database. Aadhaars of fictional applicants like animals, plants and Lord Hanuman are there in the database, till they get publicly exposed and reactively removed by an embarrassed UIDAI. My personal favourite is one Mr Kothimeer (Coriander) with Aadhaar number 4991 1866 5246, who is the son of Mr Palav (Biryani), Mamidikaya Vuru (Village Raw Mango), of Jambuladinne in Anantapur district, as reported by the Deccan Herald. And of course the infamous Lord Hanuman, who not only had an Aadhaar, he also managed to link it to an LPG account for subsidies. CSC, with whom the UIDAI refused to renew the contract for Aadhaar enrolments for reasons of “corruption complaints and enrolment violations”, is responsible for a fifth of all Aadhaar enrolments, which continue to be in the Aadhaar database. Countless entries created by fraudulent means are there in the Aadhaar database. There are now 50,000 ex-operators who know how to use the system, being targeted by software pirates who have cracked the enrolment software that bypasses the security measures to allow anyone who buys it to update the Aadhaar database. Thousands of Aadhaar cards are dumped in wells and are stacked in post offices because they don’t have a real address, they exist as numbers that could be authenticated with biometrics and used as proof of that non-existent addresses by people who created them. Dead people’s numbers are there in the database. Immortal now, because an Aadhaar cannot be deleted, but could still be misused There is no telling how many of the Aadhaar numbers are authentic and of real living people, how many of dead people, how many are fake, but created without malice - plants, chairs and such pranks and how many are fraudulent Aadhaars created by criminals to enable ghost accounts for illegal activities.

LACK OF FAILSAFES

There is inadequate planning for what happens when Aadhaar fails. While the government claims in the Supreme Court that no one is denied their rights, researchers have conclusively established widespread exclusion due to Aadhaar failures. There are people denied an Aadhaar in spite of multiple applications, people who have Aadhaars, but can’t use them, because of operators making errors, there are queues of desperate people waiting to enrol or update their Aadhaars, because no one has bothered to ensure adequate facilities to accommodate for those willing to bow to the ruthless imposition.A simple example: Till recently, Aadhaar was mandatory for mobiles and banks. Verification can only be done in person. The aged and the disabled not only have to brave the queues at enrolment centres, they have to go to banks and mobile service centres in person, or lose both. Yet, these people would need both far more desperately than most of us - for monetary disability assistance and calling for aid in need.

IMPROPER UNDERSTANDING OF SECURITY

The UIDAI’s understanding of security appears to be largely political, where their primary focus is to maintain an perception of Aadhaar as invulnerable. However, Aadhaar is not a PR exercise and claims that sound successful cannot alter technological reality. Security in technological applications is a matter of impeccable processes to resolve problems and the UIDAI’s approach to it is embarrassingly childish, where it seems to think that if it denies problems, they will go away. A two year old with a face smeared with chocolate saying, “I didn’t eat the chocolate” is cute. An organisation responsible for sensitive data of over a billion people that is compromised over and over again, saying “Aadhaar is safe” is not. A requirement in tech security is that the developers are responsive to security issues and attentive to established communication channels so that any problems may be rapidly identified and resolved. Large scale implementations offer bug bounties, where skilled researchers volunteer their time testing a deployment and report any security issues for a reward to reduce likelihood of malicious hackers finding vulnerabilities. What the UIDAI does is the opposite. It actually files cases against those who show problems with the system publicly while ignoring them if they do it confidentially. This encourages people to at best do nothing about them, leaving them available for other malicious actors to exploit, or worse, to exploit the vulnerabilities themselves. This approach is not just poor on security, it is stubbornly insecure.

DENIALS PREVENT PROBLEM SOLVING

To date, the UIDAI has not admitted a single problem with Aadhaar publicly. If a problem cannot be accepted to exist, a solution cannot be found for it, because there is no problem. Worse, even if solutions present themselves, they cannot be allowed, because adopting them will imply that there was a problem.

THERE HAVE BEEN PROVEN COMPROMISES OF AADHAAR SYSTEM

The Aadhaar system has been reported to be compromised in many ways from the start. From dogs and trees and gods having Aadhaar cards, to reports of duplicated fingerprints being used to create Aadhaar cards. From Axis Bank, Suvidhaa Infoserve and eMudhra using a replay attack to test implementation of the Aadhaar system to Airtel Payments bank using authentication provided for validating SIM cards to create bank accounts and divert subsidy payments into accounts it held. There have been countless enrolment and fake Aadhaar frauds as well. From simple printing of bogus Aadhaar cards, to use of fake fingerprints and tampered software to bypass UIDAI’s security measures. The UIDAI’s response has been unfailingly monotonous. “Aadhaar is secure”.

LACK OF ABILITY TO PREVENT MISUSE OR TRACK IT

To date, there has been no news of those who sell illegal access to the Aadhaar database being found and arrested. Biometrics of a bank officer were sold to illegally allow access to the database. Software was tampered to bypass biometric checks in at least two scams. Illegal access to the database was sold on social media. All the sellers continue to be at large. People who have been shown to compromise Aadhaar security in sting operations have not been reported to be arrested. There is no end to this madness and it has proceeded so far, that the UIDAI admitting or not admitting vulnerabilities has become irrelevant. Aadhaar presents a threat to the privacy and security of citizens and makes them vulnerable to identity and monetary theft, surveillance and targeting. It presents a threat to the nation when it compromises its security by providing an insecure method of identification that allows extensive aspects to all necessities of life. It is a threat to international relations by providing international terrorists to easily get an Indian passport and conduct attacks that implicate our country. Aadhaar has gone beyond any point of recovery. It is irredeemably corrupted and unreliable, and the only “secure” solution for Aadhaar now is to completely suspend the project and set about destroying the data. This too is not going to be an easy task, given the reckless proliferation done in an attempt to make Aadhaar too big to fail. Aadhaar will fail sooner or later under the weight of its own incompetence and contradictions. The critical issue now is to ensure that it cannot do more harm to citizens and country. Destroy the Aadhaar, investigate its proliferation and prosecute its perpetrators.

(Vidyut Gore writes on Aadhaar for Medianama and also documents Aadhaar on aadhaar.fail)