Is India better off without Aadhaar?

How to move forward after a data breach affects India’s biometric ID system

Reports of data security breaches have become increasingly prevalent in recent years. As various countries across the globe establish national identity databases and centralized credit bureaus, such as DNI in Peru, NADRA in Pakistan, Aadhaar in India, and CNIC in Thailand, media coverage of incidents is amplified. In 2016, over 4.2 billion data records were exposed globally. These attacks are not limited to emerging markets, as proven by the recent breach of US-based credit bureau service Equifax, which exposed several hundred million consumers’ information — including names, Social Security numbers, birth dates, and addresses. Late last year, researchers discovered a flaw in Apple’s macOS that enabled super-user access to any Apple device, enabling malicious software to be installed easily and remotely. Now, India’s Aadhaar database has joined the long list of data breaches, as recent reports indicate that access was purchased through a WhatsApp group to the Aadhaar portal and the private data of over 1.2 billion Indians, all for a paltry sum of 500 rupees — about US$ 8.00.

When you see news of a crack in data security, you may picture savvy hackers exposing cryptographic vulnerabilities to access your banking information, but this isn’t always the case. Human error, process failures, and policy violations are overwhelmingly the most significant causes of such breaches and leaks of sensitive personal information.

In addition, while it is true that the majority of data attacks are executed outside the targeted organization, more often than not, the exposed weakness that enabled them was initiated — unwittingly — by internal staff. According to a survey from the Information Security Forum, in most cases, employees were doing ordinary tasks, like taking files home to work in the evening, with no malicious intention of harming employers or their customers.

In other words, the human-driven processes that compliment secure technologies are equally as important as the technologies themselves. These processes can be easily overlooked or become out-of-date, leaving even the most robust of digital security systems useless for preventing criminal access.

The Aadhaar security breach is a prime example of this type of internal process failure. Analysis indicates that this is a case of mismanagement and poor administration within the government bureau that manages Aadhaar, UIDAI, where UIDAI’s operations team failed to block (or delete) defunct legitimately issued access rights.

To meet the government’s ambition of registering hundreds of millions of Indians with Aadhaar identity cards, approximately 300,000 Village Level Enterprises (VLEs) were initially employed under the government’s Common Services Centres Scheme (CSCS). Once the targets were met (or the initiative had reached a logical conclusion), these jobs went away. But the access rights were not disabled by UIDAI staff, enabling malicious individuals to abuse the privilege.

From a financial inclusion point of view, robust identification is a fundamental requirement for micro-entrepreneurs to access the financial tools that provide growth and stability. Centralized identity databases enable customers to access their accounts remotely, and they limit leakages by preventing multiple enrollments by the same individual. Without a clear identity that can be proven, it is nearly impossible for any individual or business to obtain the necessary financing to grow. As Makhtar Diop, the World Bank Vice President for Africa, stated in the Identification for Development annual report, “Identification provides a foundation for other rights and gives a voice to the voiceless.”

However, any system is only useful if people trust it. Trust is instilled if the system is easy to use and understand, if issues are resolved immediately, and if people believe their transactions are safe.

In India, trust in the central identity database has been shaken. This trust needs to be re-instated and amply demonstrated through better policies, governance, controls, and operational processes. These improvements should be backed by unscheduled internal and external audits to test the core system, internal operations, and the extended distributed network, which is more susceptible to such breaches. Interestingly, the Aadhaar team has now come with Virtual ID to replace the Aadhaar number for third-party verification purposes. Let’s hope this is not a knee-jerk reaction but a well-considered solution that can earn the trust of the more than 1.2 billion people of India who look to Aadhaar for their unique IDs.

Iain Brougham co-authored this post.