Is the Aadhaar database secured enough?
Aadhaar has always been in scrutiny. The previous government called it on and the opposition went down heavy on it calling it a scam. They come in power, applaud the move and implement it widely. Now the previous government leaves no opportunity to accuse the security of the Aadhaar database.
The project went big in India. Everyone got pretty serious about it. Last month a report started doing rounds that there was a breach in Aadhaar database and the information was used to issue SIM cards. Some people were arrested in this matter and everyone started getting curious about how secure the database that contains the record of the entire Indian population is. A recent report suggests that there wasn’t any breach at all.Not secure1. Leaked into websites
A security researcher brought to the notice of the authorities that the Aadhaar demographic data of over five lakh minors was leaked on a website. The website was immediately closed after the report but this shows that the database is not all that secure. If it could be leaked on a website, it could be misused anywhere and in any manner.2. Suvidha infoserve
Unique Identity Authority of India had itself complained with the Delhi Police against Axis Bank Limited, Suvidha Infoserve, which is a business correspondent with Axis, and esign provider eMudhra of performing multiple Aadhaar transactions using stored biometrics. Thus is in violation of the Aadhaar Act, 2016, which prohibits the storage of such data.3. You won’t be notified
The people whose information was used by these companies were not informed of it. The Aadhaar act does not have any provision for this matter. You cannot approach a court if your data was misused in any manner. According to Section 47 (1) of the Aadhaar Act, the Unique Identification Authority of India has the exclusive power to make complaints in case of any violation or breach of privacy.4. No RTI card
You cannot even play the Right to Information Act card in this matter. There was RTI filed but the Unique Identification Authority of India refused to share any information in this regard. So your information is compromised and you are not even aware of it. You cannot find out, you cannot question; there is no way you can take it to the courts.5. No oversight mechanism or bounty reporting
There should be reward for those who could find fault in the Aadhaar database system. This would have encouraged vulnerability testing to prevent hacks and exploitive acts. However, there is absolutely no regard for these measures which therefore decreases the security far more. In fact, the opposite is possible here. An entrepreneur who published an article on the flaws of the system was immediately arrested.6. Third party involvement
Though enrolment is done by government and public sector agencies, they hire private players to collect demographic and bio-metric information. Enrolment agencies are not allowed to outsource work but they can hire enrolment operators and supervisors through third parties. This is where security gets compromised.Very secure1. Open source technology
According to government sources, Aadhaar platform is built mostly on open source technologies, with propriety technologies being used only where necessary. This means that no private contractors may sell/steal the data.2. Proper security measures
Government sources also claim that the UIDAI has established two large-scale data centres to ensure complete security of data and applications, and it regularly conducts audits by reputed third party agencies to keep its systems and processes up to date. This ensures that there is no glitch in the system and hence no scope for breaches.3. High encryption
Encryption uses highest available public key cryptography encryption, i.e. PKI-2048 and AES-256 with each data record having a built-in mechanism to detect any tampering. This ensures complete privacy and hence there is no need to worry about a breach.4. Multiple vendor
Before adopting any propriety software for biometrics, the design approach followed by the UIDAI is said to have multiple vendors in an architectural layer, with a payment model put in place such that the vendors are incentivised to improve quality, accuracy and speed. These vendors or their services can be replaced, if they do not meet stringent service level agreements. More than 100 different companies are involved in foundation, so that domination doesn’t become a problem.
Government sources have rubbished the report of data leak from the system. Apt measures will be taken to improve and the culprits will be punished. Regarding the safety of the system, it could do better with few changes.