Aadhaar is a Sanskrit word which means ‘foundation’ or ‘basis’; the phonetically close Sanskrit word “Adhar” means ‘in-between’ or ‘incomplete’. The Government’s effort for Unique Identification (UID) for all CITIZENS is in Adhar and not in Aadhaar because Aadhaar is UID for all RESIDENTS, including illegal residents. Worse still, Aadhaar is one of the primary routes for getting government benefits from various schemes. This implies that a reasonably large percentage of Indian taxpayer money is being spent to sustain illegal migrants, especially from Bangladesh.
Aadhaar is used to get other identification documents, including ration card, bank account, driving licence and passport even to illegal migrants, thus slowly but surely converting them into Indian Citizens. The challenge posed by placing all biometric data in a common database is a well-known hazard. Therefore, Aadhaar poses serious financial, demographic, privacy, social and security concerns for the present and next few generations of INDIAN CITIZENS.
Based on the wrong premise
Aadhaar intends to use biometrics for authentication of an Indian Residents. According to “UIDAI Strategy Overview” stated philosophy, the authentication is based on following three methods:
a) What you know: Something the user uniquely knows that is not public such as password, pass phrase, picture, story, song etc.
b) What you have: Something the user uniquely has such as smart card, token, mobile phone etc.
c) What you are: Something the user individually is or does such as Biometrics face, fingerprint, iris pattern, signature, handwriting etc.
However, these principles are based on the premise which is no more valid. There are two major problems with “What you are” as a method of authentication.
Firstly unlike a password, biometric data is not secret and also not in full control of the owner of biometrics. Biometric data today are shared not only with Aadhaar authorities but practically everywhere, including attendance systems and banks. Even on table and doors accessed by that individual.
In December 2014, a well-known hacker, Starbug who broke open the Apple’s TouchID Sensor within 24 hours of its release, took some photos of German defence minister Ursula von der Leyen while she was addressing the event and by the end of the event, he presented her fingerprint. These fingerprints then can be copied mechanically or electronically to be fed in another electronic system/ application.
(See: https://youtu.be/_6JnKT6ybj4,
http://www.instructables.com/id/How-To-Fool-a-Fingerprint-Security-System-As-Easy-/)
Financial support to non-citizens
Section 9 clarifies that Aadhaar is not the proof of Citizenship or Domicile. This means that benefits accruing out of Aadhaar will be niraadhaar (without basis of Citizenship). It is very strongly recommended that a special mark must be indicative in Aadhaar number itself (like * mark) to show that the person is NOT a citizen of India. The government has passed repeated orders to identify Indian Citizens but there appears to be no progress in this regard. In any case, the requesting entity must know if the person being enquired on is Indian or not.
Financial Risk
According to section 11(2), the authority will be a body corporate, which means it will be covered under section 43(A) of the Information Technology Act and rules made thereunder. It also means that the authority will not have protection provided to the government in case of any failure. If for any reasons, any core biometric information is lost, then the authority will be liable for civil liability of unlimited amount. Unlike the other methods of authentication, biometric loss is lifelong loss, hence the liabilities of such loss will be far enhanced. In a case of complete loss, the civil liability may be few lakh crores. Is the authority or the government ready for such loss?
Will the government be morally right to pay for such loss to the citizens of India from the money collected through taxes from citizens of India, for its own incompetence? The Act is silent on this risk assessment.
Secondly, Biometrics are permanent; unlike a password or a smart card, they cannot be changed. God forbid, if the complete Aadhaar database is compromised (like that of Sony) and which must be expected to be so, the biometrics of all citizens will be compromised. Isn’t it far too big a risk for the government to take? Access to sensitive areas such as defence installations, which use biometrics as access control, will automatically become unusable for life of that senior defence officer. There is no way to correct the situation, unlike password and token.
The challenges in this field will increase manifold as financial transactions based on biometrics increase. For example, the government had ordered that App Praman is used for giving life certificate for all pensioners. An individual can create his artificial fingerprint and give to his own family to continue to draw full pension even after his death.
Privacy in hands of foreigners
Section 14 does not limit the citizenry of chairperson and the members of the authority, hence it is possible to appoint a chairman who is neither Indian nor resident of India. It is, therefore, necessary to make appropriate amendments in section 14 which should state that the chairperson and members should be ‘resident Indian citizens’ only. If we cannot get a reasonably competent person to be chairperson or member of the authority then it is a matter of shame. Additionally, if such persons are foreign nationals then ensuring compliance of Section 16 will be impossible.
Breach by Chairperson or a Member
In a case of any breach of Section 16, related to the cooling off period of three years for Chairperson and members, there is no provision in the Act for appropriate punishment. Thus there is no deterrence for non-compliance. The maximum punishment under general provision at Section 42 provides for just one-year imprisonment, which is bailable and non-cognizable.
Relationship with Software, Hardware and Database Vendors
There has been repeated questioning of the UPA government in respect of the contract it has signed with various software and hardware providers and database maintainers, especially the contractual agreement between the Authority and MongoDB. Neither the UPA government nor the NDA government issued any clarification in this regard.
If the silence is considered as acceptance of this contractual flaw, then section 22B has extended this contractual liability forever and shared the private sensitive data of Indian citizens and residents with the US government. The charges are serious and silence is not an answer.
Section 23(2) (C) empowers the Authority to appoint an entity for operation of Central Identity Database Repository (CIDR). However, no limitation has been put in this regard that Indians’ core sensitive data will not be handed over to a foreign entity. There is a precedence of such misuse, which has serious national security impact.
The National Information Exchange of India (NIXI) was created so that the communication within Armed Forces does not traverse to Internet Exchanges located in USA and intra-India internet based communications stays within the territory of India. After severe pressure from National Security Council Secretariat, NIXI was created by the Government in 2003; but its operations were handed over to a Uganda-based company. The primary objective to keep such communication out of reach of foreigners was defeated.
Attempt to Risk Transfer
The risk in case of leakage of personal sensitive data of ALL Indian citizens is enormously high and irreparable. Once biometrics are lost they are lost forever, no change is possible. Through Section 28 (4)(c), the Act has made a weak attempt to transfer such risks to the consultants and advisers which is neither practical nor possible to meet the civil liabilities in case of loss of any core biometric information. In case the decision to implement any advice is that of the Authority then the liability also must rest with the Authority. Only limited liability up to the fee so paid can be charged from Advisers and consultants. No court will support such open-ended provision.
Intelligence Gathering
The Bill at Section 13(3) allows the intelligence agencies to dip into the core biometric information and even extract it for an individual or group. As explained earlier, creating a duplicate fingerprint or iris scan is not impossible; hence it is possible that intelligence agencies can be used to create a fake presence of an individual, politically motivated or otherwise inconvenient to the government of the day, or senior person in such Intelligence Agency. The checks and balances are totally opaque, where even the summary of such access by intelligence agencies are not shared with the public.
Additionally, the Act is silent on security and privacy of the databases collected by Intelligence Agencies over a period of time, interacting with CIDR. And with this single mechanism, Gestapo or Nazi type operations can be easily launched. Unlike many advanced countries, India does not have an Intelligence Services Act to fix accountability. Hence this can lead to serious breach to freedom of citizens. (I have personally suffered such abuse by Intelligence Agencies).
Target of Cyber warfare
Central Identity Data Repository (CIDR) will be a valid and lucrative target for cyber war. Operation PRISM, Vault 7 and many other leakages of information of NSA (USA) have clearly established that the agenda of United States is to have cyber supremacy over the world.
The “UIDAI Strategy Overview” document elaborates in detail various security features in Chapter “4.0 - Authentication and e-KYC authentication services”, where extensive use of RSA and similar algorithms has been mentioned.
It may be noted that the RSA designed algorithm has inbuilt security loophole for the US Government to hack into any system / individual using it. Therefore unless such algorithm, including its random seed generator are written, vetted and certified in India, it will be serious cyber war-related security threat.
India has the capacity to write such codes and vet + Certify them, but it is not clear if the source code of these algorithms have been written in India and vetted by a different Indian authority or not. In case these are provisioned directly from where the software and database have been procured, then it must be assumed that CIDR stands already compromised, and US government already has Aadhaar CIDR data.
(See: http://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220)
Minimum Punishment with Complex Procedures
Chapter VII of the Act shows that the Government is NOT serious to punish anyone in case of any breach. On one hand, the Act agrees that it is collecting personal sensitive data of all residents of India, but on the other hand, there is no offence mentioned which has punishment more than three years of imprisonment. No court is allowed to take cognizance of any offense under this Act without a written complaint by the Authority or on its behalf, which means it is non-cognizable, which further means that no police or investigating authority can investigate any offence of its own.
No citizen has any rights to approach and make a complaint for any offense under this Act, even to any court. No criminal liability can be brought under any Section of the Act, except by the Aadhaar Authority itself.
The world is well aware of the case of Edward Snowden stealing this type of information from the National Security Agency of USA. In case of similar act by any employee of the authority, the maximum punishment is just ONE year imprisonment with fine of Rs. 25,000/-.
Does the Government intend that if an employee of CIDR who has authorised access takes unauthorised copies from CIDR, he is not a serious offender? On similar lines, if the chairperson and/or members compromise anything related to Aadhaar, no action can be taken against them unless the same authority complaints against itself [refer section 47(1)]. Even Government has no power to make complaint for any such criminal liability.
The Government has cut its own hands; it cannot even issue directions related to technical or administrative matters (submitting complaint for an offence is an administrative action and not a policy issue) as the Aadhaar authority becomes ultimate authority in such matters under proviso of Section 50(1). On one hand, there is no offense which attracts punishment more than three years, hence no offence is considered serious enough, on the other hand, such cases must be tried by no court inferior to that of chief metropolitan magistrate or a chief judicial magistrate [refer section 47(2)].
Thus we have a situation where ONLY on the ‘complaint’ of the Aadhaar Authority a criminal proceeding can be initiated; Police investigation is NOT necessary; such offences despite being of low punishment value can be tried ONLY in CMM or Session Court; but no court can give punishment more than three years of imprisonment.
Conclusion
It appears that the present Government has picked up the pathetically drafted Aadhaar Bill prepared by UPA Government, dusted, rehashed it at a few places and got it passed through the backdoor as a Finance Bill. The objective to reach targeted financial help and avoid corruption is noble, but the present Act and approach of UIDAI is full of loopholes. Most parts of the Act are correctable. For example: The core biometric must not be used for any authentication nor shared with anybody, including intelligence agencies, but can be used in appropriately air-gapped systems for de-duplication of identities. The present Act in its current form is a threat to national security.
Sources:
- http://uidai.gov.in/library/references.html
- http://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220
- http://www.vifindia.org/print/1815&sa=U&ved=0ahUKEwi5_8jD3sLLAhUIBI4KHRZoBhEQFggPMAQ&client=internal-uds-cse&usg=AFQjCNFfxGm6kmJZzQWLx2q2LXlcZlx0xg
- https://youtu.be/_6JnKT6ybj4 , http://www.instructables.com/id/How-To-Fool-a-Fingerprint-Security-System-As-Easy-/
The author is the first National Information Security Coordinator (retd.), Government of India. The present cyber security structures are from his time, and since then not a single structure has been added, only improvements have been made
Back to Top