The “relative print” feature in the Aadhaar enrolment client

Every enrolment operator has always had full access to every resident’s demographic data

On 3 January, 2017, The Tribune published one of the best kept secrets in the Aadhaar enrolment ecosystem: that anyone can access the demographic details of all residents by paying just ₹500.

Rs 500, 10 minutes, and you have access to billion Aadhaar details

The news sent shock waves, and the UIDAI — which did not have a Chief Information Security Officer (CISO) and hence lacked a Standard Operating Procedure (SOP) — responded through a predictable pattern.

First came the denial:

UIDAI denies any breach of Aadhaar data

Then came the police case:

FIR against Tribune reporter over Aadhaar data breach story

And when that blew up, obfuscation and deflection asserting that even if access was indeed available, it is impossible to get the details of one billion residents:

There has been no Aadhaar data-breach till date: RS Sharma

Clearing the air on Aadhaar data breach

While this was called out by Kiran Jonnalagadda in his Mint opinion column, the assumption in his response was that a name search was not available (emphasis added):

The Tribune breach required one to know an Aadhaar number to retrieve personal information. It takes a computer mere seconds to produce all 80 billion possible Aadhaar numbers. The one billion currently-valid numbers can be filtered out by using the 130 million already-leaked numbers, and the rest using a number of verification services, including UIDAI’s own — which is technically protected by a “captcha” to prevent such automated attempts, but which is so trivial that amateurs break it to win programming contests, and then share on code repository GitHub.com.

This assumption is flawed. By forensic investigation from publicly available sources, we can show that everyone who had access to the Aadhaar enrolment client could view any resident’s demographic information by merely searching for a name.

Two stories and a familiar response

The twitter handle @databaazi alerted its followers that anyone who knows an enrolment operator can obtain the details of any resident through a name query.

This is an explosive claim, but we need proof that substantiates this claim, and two stories by Times of India reporter Sunitha Rao provide an early indicator that this was indeed the case.

On August 31, 2015, TOI published a story that PVC cards are available without any check. The story had some interesting details.

A case in point: At a private agency in Malleswaram, all that you have to provide is your Aadhaar number and pay Rs 25. No questions are asked about biometric details or passwords. The person at the centre gives his thumb impression, accesses the cardholder’s data, and the smart card is ready in a few minutes.

But the person managing the Malleswaram agency said the Aadhaar number is enough to issue smart cards. “I will give my thumb impression and get the data and print it on the smart card.” He only smiled when TOI asked, “Does it not amount to data leakage?”

Ashok Lenin, deputy director, UIDAI, said: “Smartcards cannot be issued unless the person is present at the centre. Forget getting others’ cards, I cannot take my wife’s Aadhaar smart card. There must be a mistake if the agent is issuing it. I will initiate an investigation immediately.”

On September 15, 2015, Sunitha Rao put out a follow up story, which had the following details.

Lenin said, “I would not call this data hacking. Karvy told us they accessed the data through the enrolment client used to update Aadhaar details. We are yet to figure out how they took out data of people without biometric authentication. They were certainly not authorized to print Aadhaar details on plastic cards. An official inquiry into the matter is under way. We’ve asked for a detailed written statement from them but have not received any response so far.”

The sequence of events here follow a predictable pattern as described below:

1. Contrary to popular claim, the Aadhaar holder’s presence is not necessary to access her details, and just the Aadhaar number is sufficient.
2. The operator put his fingerprint and not the holder’s fingerprint to fetch the details.
3. UIDAI’s deputy director Lenin, first denied that this was not possible and even he can’t access his wife’s Aadhaar details.
4. However in the second story, there is indirect admission that this was indeed possible, but it is not called data hacking and they are yet to figure out how it was possible using the enrolment client.

Enrolment client

The user manual of the enrolment client (Update Client Lite) is available here. The purpose of this application is to assist the resident in updating their demographic details.

However it also had an extra function called “e-Aadhaar printing and update”.

This function had a “search” feature which allowed a resident — meaning anyone — to figure out the enrolment ID or Aadhaar ID by just providing basic demographic details.

Surprisingly, the application also allowed any resident to authenticate themselves and then print any other resident’s e-Aadhaar details, using the “relative” option.

Reiterating what we have established so far:

1. An operator who uses the UCL client can do a demographic search and get anyone’s UID and Enrolment ID.
2. He can put this own fingerprint and that UID, and generate e-Aadhaar for that resident.
3. This implies anyone who has a valid UID and access to the UCL Client can actually view a resident’s details by putting their fingerprint, via a mere demographic search.
4. UIDAI’s deputy director Lenin apparently did not know that this was indeed possible when TOI reported the story on 31 August, 2015.

Let us now examine if the “relative print” hole has been closed after TOI’s story. There exists another version of the same document on Citizen Service Centres (CSC) website captured by Archive.org on 22 February, 2016, which shows the feature as still being available.

The outsourcing problem

Why would a deputy director of UIDAI not be aware of the specifics of the Update Client Lite application? The user manual offers a clue that it is developed by HCL, a Managed Service Provider (MSP).

This is further confirmed by media reports and by HCL itself that it was indeed the case.

UIDAI inks contract with HCL Infosystems - HCL Infosystems

It is now evident that UIDAI not only used third parties for resident enrolment, but also for developing the various enrolment applications used by these agents. Every one of these vendors and third parties are selected based on L1 (lowest cost) bidding model (source), and have their own cost and time pressures to make a profit.

Their shortcuts such as the “relative print” option — which allows any resident to obtain the details of any other resident — were only discovered in the field and the authority is usually caught unaware, and the familiar pattern of denial, obfuscation and legal threats then follows.

Conclusion

It is incorrect to state that Rachna Khaira was the first journalist who showed anyone could purchase access to any resident’s demographic details. As the above sequence shows that it was actually Sunitha Rao of Times of India in August 2015.

However, any enrolment operator had such access (including name search) from 1.5.2014 (Version 1.0) onwards — as the user manual clearly indicates — and the UIDAI deputy director was not aware of this gaping hole because of the outsourcing model that UIDAI embarked on for “speed”.

Speed trumps safety, not only in driving, but also in software development.