Misuse of Aadhaar data

Concerns of identity theft have become real

In the last few weeks, several disturbing incidents centred around the Aadhaar database have established the scope for widespread data leakage. First, a technology start-up that calls itself an Aadhaar-enabled “trust bureau” seemed to demonstrate that it could identify faces singled out from closed-circuit television footage of a crowded street — Aadhaar data was superimposed on photos (with specific fields blanked). This firm is one of the many that offer services such as identity checks, PAN verification, police record checks and employment history generation by linking an individual’s data to his 12-digit Aadhaar number. Another website filtered, compiled and published Aadhaar data to create a database listing of over 500,000 minors. This website has since been shut down by the Unique Identification Authority of India (UIDAI), but not before several telecom salesmen, who used to sell Aadhaar data, were arrested. It remains to be seen how this data was acquired and if copies of this database exist elsewhere or if it can be recreated. What all this points to is that it seems feasible to build parallel databases, which duplicate sensitive data. Indeed, it is difficult to rule out the existence of such parallel databases.

It is also difficult to argue that such incidents involving egregious misuse of Aadhaar data are unlikely to multiply. The biometric identification system is being used extensively for e-KYC (know your customer) processes for multiple purposes. There is little to prevent such data being collected, stored and re-used for illegal purposes. Indeed, as member of Parliament and technology entrepreneur Rajeev Chandrasekhar has pointed out, no regulation even makes such data storage illegal in theory. At present, anybody can enrol as an agent to verify e-KYC. The application programming interface (API) for the Aadhaar e-KYC service is publicly available from the UIDAI. Agent enrolment is a simple, quick process; the basic equipment is an inexpensive biometric fingerprint scanner connected to a smartphone. KYC user agencies and service agencies access Aadhaar data after taking the individual’s consent. The individual must input a one-time password – delivered to a registered mobile number – to agree to authentication. The UIDAI only verifies queries with a binary “yes/no”. But the agency conducting the e-KYC and verification can collect and store data at its end. Indeed, white-hat hackers have demonstrated how iris scans can even be generated from high-resolution passport photographs.

Mobile service providers and banks have used private agencies to generate e-KYC data for hundreds of millions of people. It is, therefore, quite possible that many parallel databases tied to Aadhaar already exist, and these Aadhaar numbers, in turn, are tied to other sensitive data. The aggressive rollout also means that new databases continue to proliferate. What makes matters worse is that there is no specific privacy law or data-privacy law to stop such data being stored or traded. These security breaches suggest that any future privacy legislation, or judgments by the judiciary, might only manage to close the stable door long after the proverbial horse has bolted. This also means that the eventual remedy will have to be drastic and implemented at an express speed.