The Unique Identification Authority of India (UIDAI) on Wednesday said that it does not have information about bank accounts, health records, or financial and property details of Aadhaar card holders, and “will never have” such details in its database. The Aadhaar-issuing body, in an attempt to dismiss existing apprehensions among millions of card holders and experts, and send a message of comfort, said that its database contains only minimum details of the biometric ID holders, including select demographic information.
It was a well-articulated public outreach, but hardly convincing enough to reassure the doubting public.
Speaking exclusively to The Voice of Nation, Pavan Duggal, international expert on cyber law and cyber security, highlighted various loopholes in the Aadhaar ecosystem and warned that if corrective measures are not taken quickly, a lot could be at stake.
Aadhaar was unmindful of cyber security as a basis
I am of the firm opinion that as a nation, when we began our journey, we were clueless of the direction where we were going. So Aadhaar, when it got started in 2009, was never started having in mind cyber security. It was started as a voluntary experiment. It started growing big, but now with this Government linking Aadhaar to a majority of Governmental services, the problem of cyber security has become complicated and confounded. Today, the Aadhaar ecosystem is thoroughly unsafe and unsecure.
The UIDAI invariably talks about the security of Aadhaar. When I look at the Aadhaar act, 2016, it is only concerned with the security of the central identities data repository where the biometric information is stored. The consistent stand of the Government is that it has never been breached.
Things were fine so far, but when the Government started linking various services to Aadhaar, an ecosystem started developing around it. This is a space where all
kinds of private players are having access to Aadhaar. In this ecosystem, there is nothing on cyber security, nor any revelation, stipulation, guideline or any recommendation.
In this ecosystem, cyber security breaches are happening each passing day, at least 10, 000 of them. Therefore, Aadhaar, as a paradigm, is unsafe when I start linking up various services. It would have been better for the Government to have done its cyber security homework prior to linking. But even now, nothing is too late.
Open to exploitation
While the matter is being adjudicated by the Supreme Court, the Government should have a relook at the cyber security infrastructure of the Aadhaar ecosystem. All the time, the UIDAI has been only talking about the central identities data repository. I am talking about the bigger ecosystem that has started developing around Aadhaar, where under the garb of Aadhaar, people’s biometrics are being captured on private devices of subscribers.
And then you have private initiatives, like the ‘Aadhaar Bridge’, coming in where you are now taking the sharing of information to a different level. All this has been possible because India does not have a data protection law. It has also been possible because the Aadhaar act, 2016, has become redundant today because it does not deal with the current day reality of the Government linking a lot of services to Aadhaar. The Act was passed with the basic premise that it would be voluntary, but now with it becoming mandatory, there is a need for massively amending and revisiting the 2016 Act.
Sitting on top of a volcano?
With 1.12 billion people already on board Aadhaar, we need to pause, plug the loopholes and make the system far more secure before we start getting other people on board and before we start making the linking mandatory because there is an intrinsic problem. People’s biometric information is sensitive personal data. Once that is compromised, there is no remedy for the person whose biometric information is lost to others.
The Aadhaar act has stripped the residents of the country of even the basic right of reporting Aadhaar breach or Aadhaar misuse to any police station because only UIDAI has been given the authority to register an FIR. India is sitting on top of a volcano which is about to burst. And we are not even prepared how to deal with it.
The patchwork that’s currently being proposed is something that’s not going to serve India well. The patchwork of trying to have a virtual identity or having facial recognition features coming by July 2018 does not remedy the basic defect that exists in the architecture. There is an absence of adequate legal frameworks and protections. So the quicker we start concentrating on this, the better.