Breach fears: How safe is Aadhaar data?

Any data will run the risk of being leaked and people harassed. The security of the gargantuan Aadhaar database comes into question. Is a public sector utility capable of keeping our personal information safe?

Information security is a major concern for the public sector because of the sensitive and personal data it holds. The Aadhaar of UIDAI is probably the biggest identity database in the world with personal and biometric identification information gathered on well over a billion people. Would you trust the Government of India with your personal information and expect it to be kept safe?

The great fear is that the sensitive data on almost all Indians is being kept by a public sector organisation. Two incidents have already exposed the danger of security breaches — 1. The personal details of Mahendra Singh Dhoni were made available in the public domain, a breach attributed to an outsourcing Aadhaar agency and 2. Persons have been caught selling Aadhaar seals and setting up fake websites calling for personal information for registration. While the first incident may have been an accident, it is human greed that may prove the bigger threat.

The very fundamentals of biometric data collection have been challenged and the judges are still pondering over this cause celebre. Petitioners have contended that the biometric data and iris scan being collected violated the fundamental right to privacy of the citizens as personal data was  not protected, and was vulnerable to exposure and misuse. Besides, the Aadhaar card is an invasion of privacy and a terrible violation of basic human rights.

At a time when so many points have not been settled in law, the Centre goes on adding mandatory declaration of Aadhaar number for benefits, including noon meal scheme, scholarships, admission, taking examinations, domestic air travel, Sim cards for mobile phone with the only concession made now is the last date for linking Aadhaar to social benefits has been extended. By 2020, about 100 billion electronic objects will be connected to the Internet and the wireless sharing of data is bound to increase the risks for public services. Access to the Aadhaar database has already been given to telecom companies and they have been tasked with confirming the biometric ID of customers in order to link mobile phones to Aadhaar numbers. On the face of it, this would be a great security enabler as each mobile user should technically be traceable to a person. But, again, would you trust outside agencies to collect and keep such data without letting any of it leak?

Soon, you could have hospital records linked to Aadhaar and a person’s health history, including mental illnesses if any, could be exposed to third parties with grave consequences.  Leaked data could be used by hackers or cybercriminals to blackmail individuals in ransom attacks, or facilitate identity theft. A great deal of concern focuses on personal data — any information like ID number. Ensuring personal data is anonymous and complies with data protection regulation poses a mammoth task. Is UIDAI ready to cope with this, particularly as it has to deal with issues that arise out of sharing the database with banks, telecom companies, etc?

Leaks are not uncommon. Take the recent case of the credit reporting company Equifax in the US which failed to protect the personal financial data of as many as 143 million Americans — names, addresses, social security numbers, birth dates, credit card numbers. They are baying for the company’s blood now because the data breach happened in a company with which no one did any business, like say flying with an airline or buying a book or purchasing a pen. Equifax existed only for managing people’s most sensitive private financial data, a responsibility it failed to live up to. UIDAI is in a similar position as its raison d’etre is to gather and protect huge data of the people of an entire nation.

Self-sovereign identity in decentralised yet verifiable system with cryptography in which the individual has the power to control his data and stand alone systems like India’s Electronic Voting Machines that will give out only numbers for verification  rather than any personal data online are recommended for greater security. Assumption number one in the electronic age is that whatever can be hacked is going to be hacked. A second rule is that everything that can be connected will be connected, thus increasing the risks of leaks. The more one gets to know about people, the easier will it become to reach them by mobile or email and to mimic them in the event of the wrong people getting their hands on the data. This is why any identifier is risky in this day and age.