AADHAAR! Know the privacy and security issues with Aadhaar.

Aadhaar will become primary identity of any person in India in near future.

More than 90% of the population have enrolled for an Aadhaar Card. That’s HUGE!

Till now, UIDAI has done more than 500 crore of authentications, more than 100 crore of Aadhaar based e-KYC for various purposes, for opening bank accounts, for getting sim cards, etc… Your aadhaar information is with many banks / govt agencies / vendors / businesses.

Aadhaar Architecture:
Aadhaar was built on open architecture and designed to scale.All technical processes, technical details are considered confidential.

For a detailed look at the Aadhaar technology architecture, read the “Aadhaar Architecture and Technology” white paper here: https://goo.gl/tkoFYL

Data Security:
UIDAI system uses 2048-bit PKI encryption and tamper detection using HMAC in order to ensure that no one can decrypt and misuse the data. Resident data and raw biometrics are always kept encrypted, even within UIDAI data centres.

Aadhaar Enrolment:

Know what information is with UIDAI:

Aadhaar Authentication:

Aadhaar information with 3rd parties:

Many 3rd parties(neither UIDAI/Govt officials nor designated to keep aadhaar information with consent) are creating private database with aadhaar information and interlinking identity with other sources. Eg: If a company combines aadhaar information with e-commerce transactions, it can provide a very detailed profile of an individual. Aadhaar makes it easier to compare and combine diverse databases.

I know that a company did aadhaar seeding for RTA. RTA officials outsourced this work as they got targets on their head to seed vehicle information/driving licence holder information and aadhaar details. They outsourced the work in small parts to ease their process. This kind of process will lead to misuse of sensitive information in the hands of unauthorised people.

Few websites are also dripping aadhaar information in small packets. This requires web crawlers and effort to scrape sensitive data online.

Public Distribution System(Ration), Health information, Mobile Number, Financial Details, Purchases, Loans, Violations, Travel information, PAN, Electricity consumption, Water consumption of a person are all linked to the Aadhaar, which is nothing but their detailed profile.

How to secure your aadhaar information:

Do you know that you can lock you biometric online?

Yes, If you want to secure your aadhaar you can lock your biometric access to avoid misuse. Click here to lock/unlock your biometric. You can immediately unlock if you want to do any biometric/iris authentication.

After locking your Aadhar card once, no one will be able to read your details from the UIDAI server. Its biggest use will come when you are worried that someone else might store your fingerprint template and use it illegally.

Locked Biometrics ensures the Aadhaar holder will not be able to use their Biometrics (fingerprints/iris) for authentications thus preventing potential misuse.

Fraud detection and security measures taken by UIDAI:

In February, UIDAI lodged criminal complaints against Axis Bank, Suvidha Infoserve, eMudhra for illegally storing and using Aadhaar data to impersonate people and carry out transactions. Allegedly, Suvidhaa Infoserve and e-sign provider eMudhra had conducted multiple transactions using the same fingerprint, which implied that organisations are illegally storing biometric data on their servers.

Threat:

There is another potential area where aadhaar can be misused. Biometrics allows for identification of citizens even when they don’t want to carryout the transaction(even during unconscious state). Smart cards which require pins on the other hand require the citizens’ conscious cooperation during the identification process.

What is the level of access public have?

Verify your Aadhaar with just captcha: Click here

Update Aadhaar information:

Photo can be updated in the nearest UID centre (Ref) where as mobile number can be updated at any AUA/Sub-AUA/KUA/Sub-KUA vendors.

Alternatively, you can update your Name, Gender, DOB, Address, Mobile Number, Email ID online at Aadhaar self service update portal: https://goo.gl/9EbvZT

Instructions for aadhaar self service portal: https://goo.gl/pkLXxL

The Future:

Aadhaar authentication logs should be kept open for a person to review his/her transactions. If the person didn’t consent to any transaction, there will be an ability to go back and review.
A strong data protection law and privacy laws should come soon to bring an accountable structure for the use and misuse of citizen data.

One hope we got is that Aadhaar is improving everyday. UIDAI has said that all devices using Aadhaar authentication will have to adhere to its new encryption standards from June 1, 2017.

Additional links:
National Health Policy suggests Aadhaar linked Health Information Network