The document summarizes privacy and security risks associated with India's Aadhaar identification project. It identifies key risks such as unauthorized access and use of Aadhaar details, profiling of users across domains, and insider threats to the centralized identity database. Recommendations are provided to address shortcomings in measures by the Unique Identification Authority of India (UIDAI) such as strengthening legal frameworks, separating identity verification from authentication, and using cryptography to better protect sensitive biometric data. Overall, the author acknowledges benefits but argues more policy debates are needed to maximize potential while ensuring privacy and effectiveness.
1. Aadhaar: Providing proof of identity to millions.
From Privacy & security risks Perspective
Kushal Horabylu Parameshwara
Rowe School of Business, Dalhousie University.
Abstract:
This report deals primarily with risks revolving around Privacy & security concerns over
Aadhaar Project. Specifically, we dig deeper to address & investigate the possibilities of using
the Aadhaar details without consent or illegal access to the information. Through the analysis,
We will also be identifying independent risk owner as well as suggest suitable
recommendations.
I. Introduction:
Aadhaar is the worlds largest national identity project, launched by the government of India in
the year 2009. Fundamentally this project involves collecting and storing biometric and
demographic data in a centralized database. To date, 1.22 billion users have enrolled in the
system, with a government expenditure of US$1.4 billion (Wikipedia,2018). However, there
have been various news reports which suggest that fake and forged Aadhaar details have
facilitated frauds and unscrupulous activities (The Wire,2018).
In this report, we address the growing concern over privacy & security towards a suitable
solution.
II. Background
Aadhaar is an ambitious project of the government of India and monitored closely by the
Unique Identification Authority of India (UIDAI). On 3 March 2016, a money bill was
introduced in the Parliament to give legislative backing to Aadhaar. On 11 March 2016, the
Aadhaar act 2016 (Wikipedia, Aadaar) was passed in the parliament which helped in mitigating
the frauds involved with the social benefit programs offered to the residents of India. The
central government also claim that Aadhaar would prevent bank frauds blamed for the rising
2. non-performing assets in the public sector banking system and also would help the government
shut down telecom connectivity to terrorists (EconomicTimes,2018).
Along with the push towards e-governance, any digitization of residents record needs to have
a unique Id’s. Standardizing the digital records through linking the Aadhars unique 12 digit Id
across all the geographies verticals and local Id’s helps to collate virtually different digital
records into one. Through the collated digital record, access to the real-time data using the Id’s
as handles can be utilized by authorized agencies for audit, monitoring, analyzing and planning.
It also has the potential to facilitate linking of currently isolated verticals, ie.education, census,
healthcare and so forth.
The growing concerns over the privacy issues have led social activists & commentators
including Edward Snowden (The Quint,2018) to rise against Aadhaar & its objective as well
as its implementation. There are many loopholes in the entire system that are flagged and dealt
with by UIDAI. However, despite all these efforts possible countermeasures from both
technological and legal perspective are missing.
Leveraging the scope of Aadhaar from being just an identification and authorization measure
for social benefit schemes that generate large-scale data facilitating analysis & planning can
lead to far lead benefits and recognition worldwide.
III. The Aadhaar Authentication Framework :
The Aadhar authentication system comprises of the following entities (UIDAI,2018).
1. The Unique Identification Authority of India (UIDAI) is responsible for providing the
primary identification and authentication services. It provides a unique identifier
(Aadhaar number) to each resident and maintains their biometric and demographic data
in a Central Identities Data Repository (CIDR). The UIDAI manages the CIDR and
provides identification and authentication services with yes/no answers (Uidai |
Kractivism).
2. An Authentication User Agency (AUA) who provides services to users that are
successfully authenticated. Thus, an AUA connects to the CIDR and uses Aadhaar
authentication to validate.
3. An Authentication Service Agency (ASA) is an entity that has secure leased line
connectivity with the CIDR. ASAs transmit authentication requests to CIDR on behalf
of one or more AUAs. An ASA enters into a formal contract with UIDAI (Railtel,2018).
3. 4. The users, namely, the residents of the country who enrol themselves with UIDAI and
are issued unique identification numbers (Aadhaar numbers).
5. The Point of Sale (POS) device, also known as authentication device which collects
personal identity data from Aadhaar holders, prepares the information for transmission,
transmits the authentication packets for authentication and receives the authentication
results (Aadhar Blogs,2018).
6. An Enrolment Station, which is a collection of field devices used by enrolment agencies
appointed by UIDAI to enrol people into the Aadhaar database and capture their
demographic and biometric particulars (Aadhar Blogs,2018).
Fig1: Aadhaar authentication framework.
4. IV. Risk Assessment:
Aadhar number is the core of the entire system to function. The 12 digit number is the single
unique identifier for that must function across multiple domains, which is the most significant
cause of concern. Aadhaar number necessarily needs to be disclosed in order to continue the
verification process and obtaining services. This information is now publicly available, not
just electronically but also in human-readable form. This loophole often criticized over
profiling of users across multiple service domains by service providers or interested parties.
Fig.2. A sample of data in human-readable form.[Img. Source: ZDNet] some information are
redacted to protect the data.
Apart from that few other risks involved with Project Aadhaar are,
Risk Id. Risk Impact/Severity Likelihood Risk Rating
R1 Unstable
biometrics
2 3 6
R2 Inability to
handle huge no.
of transactions
per second
3 3 9
5. R3 Errors in data
recording and
data compilation
3 4 12
R4 Sharing of
personal data
with a non-
trustworthy party
3 5 15
R5 Intrusion into
encryption
algorithms for
data
security
4 1 4
We have used the Likert test in the above study. The scores on the above table have been
arrived based on the literature review during the project course.
Impact
5 R4
4 R5
3 R2 R3
2 R1
1
1 2 3 4 5
Probability of occurrence
Fig.3: Risk severity matrix
So from the risk assessment, we can infer that R4 & R5 are severe threats to the Aadhaar
project. Throughout this report, we shall be discussing recommendations to mitigate the risks.
6. V. Recommendations:
We will be first recommending based on the framework of authentication itself. In the
diagram below, we have tried to identify the gaps at each phase & addressed the situation
with the suitable recommendation.
Fig.4: Gaps & recommendation in the authentication framework.
It is essential for an independent third party to play the role of an auditor. Even though all the
encrypted data are stored within the UIDAI specifications, an insider always can be a threat to
privacy.
Now referring back to our risk assessment, these are the following final recommendations to
mitigate the risk.
Issue 1: Authentication without consent.
Shortcomings in UIDAI measures:
• Biometric & demographic data are public, henceforth can be used without consent.
Recommendation:
1. Demarcate identity verification & authentication.
2. Strengthen legal and policy framework.
Issue 2: Identification without consent using the Aadhaar number.
Shortcomings in UIDAI measures:
7. • Unidirectional linking from AUA- specific local ids to Aadhaar Id.
• No guidelines on safe maintenance of Aadhaar numbers by AUAs.
• Vulnerable to correlations of identity across domains.
Recommendation:
1. Unidirectional linking from Aadhaar ids to AUA-specific ids.
2. Cryptographically embedded Aadhaar id (Whitebox Cryptography) into AUA-
specific ids making correlations impossible.
Issue 3: Unlawful access to CIDR data leading to profiling, tracking & surveillance.
Shortcomings in UIDAI measures:
• Inadequate protection against insider attack on CIDR data.
• CIDR data is encrypted but, the decryption key resides within CIDR officials;
increasing the stakes of an insider attack.
• Managers in UIDAI have access to decryption skills.
Recommendation:
1. Separate administrative control for online audit & key management.
2. Legal framework fo the above.
3. All the biometric data must be stored using Hash Cryptography format (Hash
Cryptography).
4. Manual inspection of CIDR data must not be possible.
5. The only pre-approved & audited computer programs with tamper proof guarantees
should access CIDR data.
6. Using modern tools from computer science to implement the recommendations
mentioned above.
VI. Conclusion
Even though there are serious privacy concerns, it would be hard not to
consider the benefits of the entire ambitious project. Technology can play
a very crucial part in making the Aadhar safe if implemented with due
diligence. Above all, the question that remains unanswered is “who
should be given the rights to verify the identity of an individual & under
what circumstances?”. This project still requires comprehensive policy
debates on all angles to realize the maximum potential &its effectiveness.
8. References:
Aadhaar - Wikipedia. (n.d.). Retrieved from
https://en.wikipedia.org/wiki/Unique_Identification_Authority_of_India
Aadhaar (targeted Delivery Of Financial And Other ... (n.d.). Retrieved from
https://en.wikipedia.org/wiki/Aadhaar_(Targeted_Delivery_of_Financial_and_other_
Aadhaar: Aadhaar To Prevent Bank Frauds, Terror Attacks ... (n.d.). Retrieved from
https://economictimes.indiatimes.com/news/politics-and-nation/page-3-aadhaar-to-
Aadhaar A Mass Surveillance System In Today’s Time: Snowden. (n.d.). Retrieved from
https://www.thequint.com/news/india/nsa-whistleblower-edward-snowden-on-aadhaar
Aadhaar Based Services - Railtel. (n.d.). Retrieved from
https://www.railtelindia.com/our-expertise/aadhaar-based-services.html
Aadhaar Related Articles: 12086 - Privacy And Security Of ... (n.d.). Retrieved from
http://aadhaar-articles.blogspot.com/2017/09/12086-privacy-and-security-of-aadha
The Planning Commission: Government of India. 2011 (December). Report of the Group of
Experts on Privacy chaired by Justice A P Shah. Retrieved from
http://planningcommission:nic:in/reports/genrep/rep privacy
UIDAI. 2016b. Operating Model Overview. Retrieved from
https://uidai:gov:in/authentication-2/operation-model:html.
Operation Model - Unique Identification Authority Of India ... (n.d.). Retrieved from
https://www.uidai.gov.in/authentication/authentication-overview/operation-model.
Uidai | Kractivism | Page 10. (n.d.). Retrieved from
http://www.kractivist.org/tag/uidai/page/10/
A New Data Leak Hits Aadhaar, India's National Id Database ... (n.d.). Retrieved from
https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-dat
What Is White Box Cryptography - Rambus. (n.d.). Retrieved from
https://www.rambus.com/blogs/what-is-white-box-cryptography/
The Wire,2018: retrieved from https://thewire.in/economy/aadhaar-fraud-uidai