2016/03/16: In recent days, radio listeners may have heard advertisements for a company called TrustID offering “India’s 1st Aadhaar based mobile app to verify your maid, driver, electrician, tutor, tenant and everyone else instantly”. The app boasts it can do this in "less than a minute". Its punchline: “Shakal pe mat jaao, TrustID pe jaao.” Don't go by the face, use TrustID.
Think about what this means. A private company is advertising that it can use Aadhaar to collate information about citizens at a price. It says this openly, even as a case about the privacy of the information collected for the biometrics-linked government database is still pending in the Supreme Court.
This corporate ambition to exploit the business opportunities of this massive population database is now a part of the law that the government seems in a hurry to pass.
Aadhaar is a biometric identity system. Verifying an individual’s identity through it involves authentication, whereby a person’s Aadhaar number, along with another data point—either a biometric marker like a fingerprint or iris scan or a one-time password sent to their registered mobile number—is digitally queried against a central database. If the inputs match with an entry in the database, the authentication returns a “yes” response and the person is judged to be who the Aadhaar says he or she is.
When Aadhaar is used as a photo ID, however, no authentication is generally performed. This, critics argue, defeats the very purpose of introducing a biometric ID.
HuffPost revealed the existence of a malicious patch said to disable critical security features, making it easier not only to create unauthorized Aadhaar numbers but to fool the system’s biometric recognition systems from virtually anywhere in the world.
The purpose of the patch, which is reportedly in widespread use and easily obtained for roughly Rs 2,500 (around $35), is not to grant access to information in the database; rather, it allows unauthorized users to introduce information to it -i.e., create identities, potentially with fraudulent biometric data.
Once the patch is installed, enrolment operators no longer need to provide their fingerprint to use the enrolment software, the GPS is disabled, and the sensitivity of the iris scanner is reduced. This means that a single operator can log into multiple machines at the same time, reducing the cost per enrolment, and increasing their profits.
The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.
The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
The vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme, which means that fixing it and other future threats would require altering Aadhaar's fundamental structure.
"Whomever created the patch was highly motivated to compromise Aadhaar," said Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group, and one of the experts who analysed the patch at HuffPost India's request.
"There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile," Björksten said. "To have any hope of securing Aadhaar, the system design would have to be radically changed."
The State of Aadhaar Report (SOAR; henceforth "Report") by IDinsight (funded by Omidyar Network) was released on 17th May 2018. Herewith we examine the claims and recommendations in the Report to
2018/05/08: Aadhaar is India's digital identity system. By reading the right stuff about Aadhaar everybody, no matter where he or she lives, may learn a lot about crucial stuff like Free/Open Source software, Open Government and Open Data.
The biggest question that the Asia Times news story raises about the compromised enrollment software is - Why UIDAI cannot fix it? This post answers this question and the implication of this
Lokniti's PILs are often taken up with alacrity by the central government.
A major fin-tech scam is on the cusp of emerging in India's instant loan startups space. The case below could be a precursor to it .
Mismatched numbers, wrong photos, disappearing names, fingerprinting errors - Aadhaar is in full flow in AP's Anantapur district. At the receiving end are BPL card holders who have been denied rations for months
Man denied Aadhaar after fingerprints partially match with seven others
A centralised database, dual use as identifier and authenticator, and lack of sound legal framework are its main weaknesses.
Aadhaar breach: Gaping holes in data security and the unreliability of biometrics put a question mark on the project. UIDAI's denials are increasingly unconvincing
Once Aadhar is made mandatory, it will be meaningless to declare it to be voluntary or optional through some future judicial review
Aadhaar enrollment was completely outsourced to private parties with the sole aim of building the world's largest biometric database.
Aadhar enrollment goes on. Aadhar being made compulsory for various public services. All of this, in a legal vacuum.
Desktop Linux for Everyone
Aadhaar reflects and reproduces power imbalances and inequalities. Information asymmetries result in the data subject becoming a data object, to be manipulated, misrepresented and policed at will.
Read more about Aadhaar, the paradox on Business Standard. One of the key reasons to kick off the Aadhaar-based identification system was to biometrically identify illegal immigrants from neighbouring countries. The irony is, now the Bangladesh government - a significant chunk of illegal immigrants in India
Jean Drèze's question 'Is Aadhaar voluntary or compulsory?' is disingenuous.