2016/03/16: In recent days, radio listeners may have heard advertisements for a company called TrustID offering “India’s 1st Aadhaar based mobile app to verify your maid, driver, electrician, tutor, tenant and everyone else instantly”. The app boasts it can do this in "less than a minute". Its punchline: “Shakal pe mat jaao, TrustID pe jaao.” Don't go by the face, use TrustID.
Think about what this means. A private company is advertising that it can use Aadhaar to collate information about citizens at a price. It says this openly, even as a case about the privacy of the information collected for the biometrics-linked government database is still pending in the Supreme Court.
This corporate ambition to exploit the business opportunities of this massive population database is now a part of the law that the government seems in a hurry to pass.
Aadhaar is a biometric identity system. Verifying an individual’s identity through it involves authentication, whereby a person’s Aadhaar number, along with another data point—either a biometric marker like a fingerprint or iris scan or a one-time password sent to their registered mobile number—is digitally queried against a central database. If the inputs match with an entry in the database, the authentication returns a “yes” response and the person is judged to be who the Aadhaar says he or she is.
When Aadhaar is used as a photo ID, however, no authentication is generally performed. This, critics argue, defeats the very purpose of introducing a biometric ID.
HuffPost revealed the existence of a malicious patch said to disable critical security features, making it easier not only to create unauthorized Aadhaar numbers but to fool the system’s biometric recognition systems from virtually anywhere in the world.
The purpose of the patch, which is reportedly in widespread use and easily obtained for roughly Rs 2,500 (around $35), is not to grant access to information in the database; rather, it allows unauthorized users to introduce information to it -i.e., create identities, potentially with fraudulent biometric data.
Once the patch is installed, enrolment operators no longer need to provide their fingerprint to use the enrolment software, the GPS is disabled, and the sensitivity of the iris scanner is reduced. This means that a single operator can log into multiple machines at the same time, reducing the cost per enrolment, and increasing their profits.
Beijing is also rolling out a social credit system, using mass data collection to monitor and nudge citizens’ behaviour through strategic rewards and punishments. This is straight out of the dystopian TV series Black Mirror: in one episode, a woman is barred from buying a plane ticket due to her plummetting social ranking. In China, this is reality: one state-run media report admitted that 11 million train trips and 4 million plane trips have already been blocked due to low social credit scores. Such punishment can be triggered by misbehaviour ranging from the failure to pay back debts to spreading rumours, or even smoking or using expired tickets on trains. Conversely, a low credit score can be boosted by regular donations to charity. A senior official recently said that the system should ensure that “discredited people become bankrupt,” to underline the necessity of compliance.
2018/09/10: not all facial recognition tech is created equal. Unlocking your phone with your face is just one end of a spectrum that contains plenty of spooky use-cases.
The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.
The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
The vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme, which means that fixing it and other future threats would require altering Aadhaar's fundamental structure.
"Whomever created the patch was highly motivated to compromise Aadhaar," said Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group, and one of the experts who analysed the patch at HuffPost India's request.
"There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile," Björksten said. "To have any hope of securing Aadhaar, the system design would have to be radically changed."
This post is part of a series produced for VentureBeat by Singularity University.
Facebook is working to spread its face-matching tools even as it faces heightened scrutiny from regulators and legislators in Europe and North America.
The biggest question that the Asia Times news story raises about the compromised enrollment software is - Why UIDAI cannot fix it? This post answers this question and the implication of this
Mismatched numbers, wrong photos, disappearing names, fingerprinting errors - Aadhaar is in full flow in AP's Anantapur district. At the receiving end are BPL card holders who have been denied rations for months
A centralised database, dual use as identifier and authenticator, and lack of sound legal framework are its main weaknesses.
Aadhaar breach: Gaping holes in data security and the unreliability of biometrics put a question mark on the project. UIDAI's denials are increasingly unconvincing
Aadhaar enrollment was completely outsourced to private parties with the sole aim of building the world's largest biometric database.
As facial recognition tools play a bigger role in fighting crime, inbuilt racial biases raise troubling questions about the systems that create them
Tulsa_Time quotes a report from Phys.Org: Could flashing the "peace" sign in photos lead to fingerprint data being stolen? Research by a team at Japan's National Institute of Informatics (NII) says so, raising alarm bells over the popular two-fingered pose. Fingerprint recognition technology is bec...
2016/12/23: Online shopping makes it simple to buy gifts, but cookies, browsing histories and package deliveries make it considerably harder to hide them from the kids
Pushed through by decree on a national holiday, no democratic debate needed...
Aadhaar reflects and reproduces power imbalances and inequalities. Information asymmetries result in the data subject becoming a data object, to be manipulated, misrepresented and policed at will.
Read more about Aadhaar, the paradox on Business Standard. One of the key reasons to kick off the Aadhaar-based identification system was to biometrically identify illegal immigrants from neighbouring countries. The irony is, now the Bangladesh government - a significant chunk of illegal immigrants in India
The top court had acted on fears expressed by activists that a large number of people would be excluded from the purview of state-conferred social security.