How Does Aadhaar Compare With Other ID Systems In The World & How To Secure Its Leaky Database
Aadhaar was designed to cut out the middleman, eradicate corruption and ensure subsidized goods and services (on behalf of the state and central government) reached the final, intended recipients. Sounds like a great concept in theory, right?
To say that India is obsessed with Aadhaar of late would be an understatement.
The government, in May, announced that it will be compulsory to add the Aadhaar details to bank accounts by December 31 this year, failing which the banks will invalidate them. Those opening a bank account will also need to have an Aadhaar card. Additionally, transactions of Rs 50,000 and above will also need an Aadhaar card.
Aadhaar is arguably the world's largest biometric identification system, and from a benign system designed to do good, it's turning into somewhat of an Orwellian nightmare, where the state can easily infringe upon its citizen¡¯s right to privacy. Everything from your bank accounts, private micro-payment systems, airline and telecom companies, and more are demanding an Aadhaar card to ascertain your identity. With increased demands for Aadhaar authentication comes the risk of abuse. Like the recent alleged Reliance Jio data hack, when a recent report on a website claimed that sensitive details, including mobile and Aadhaar numbers, of millions of subscribers were leaked online. Is that fair and is it right?
REUTERS
Aadhaar was designed with an aim to cut out the middleman, eradicate corruption and to ensure that subsidised goods and services (on behalf of the state and central government) reach the deserving recipients. Sounds like a great concept, in theory, right? But then the cracks started to emerge. The Aadhaar database has some serious security holes in it, and it¡¯s been leaking data steadily for a long time. Just recently, the single largest data breach revealed private information of 13 crore Aadhaar Card Holders online.
The reality is simple. Whether you like it or not, Aadhaar is here to stay; and along with it the biometric data - fingerprints, iris scans - of over 100 crore Indians hangs in the balance. It cannot be simply wished away anymore. It¡¯s a technological and legal problem that needs to be solved to prevent further damage.
How do Aadhaar like systems work in other parts of the world
The biggest debate around Aadhaar right now is whether enrollment should be made mandatory, and become the central identity authentication tool used in the private sector, too.
Aadhaar is certainly one of its kind when it comes to the scale anywhere in the world, but other countries have tried issuing government identity proofs. While Indonesia started rolling out its eKTP national identification system since 2006, issuing an electronic card which contains fingerprints of citizens that must be reissued every five years, Malaysia has one of the oldest biometric identification systems in the world called MyKad, which was introduced in 2001.
AFP
While the Indonesian eKTP seems to be benign and not necessarily used as an identity authentication tool, the Malaysian MyKad system has penetrated into the chip-enabled card being as the single point of identification and authentication in places like ATM kiosks, at toll booths on highways, electronic cash for micropayments and digital certificate as a public identifier.
In fact, the Malaysian MyKad enrollment is apparently compulsory for citizens and the card must be carried on their person at all times - not doing so can incur heavy monetary fines and even imprisonment for up to three years, according to reports.
It¡¯s not difficult to imagine a similar scenario with Aadhaar in India sometime in the future, where carrying it on your person becomes a legal necessity and having it as a central authentication tool a way of life - severely sacrificing a citizen¡¯s sense of privacy. But what¡¯s even scarier is the thought that you are not in control of your identity - that there exists a centralized database of your fingerprints and iris scans that can be used by the government and third parties without your knowledge - as opposed to all of that residing offline in a chip enabled card that you have complete control over as to when or when not to use.
Is Aadhaar similar to Social Security Number in the USA? In one word - No
For good reason, the so-called first world (Western democracies) have been vehemently opposed to centralised biometric databases and identity registries, precisely with regards to prevent the abuse of its citizens¡¯ right to privacy.
The Social Security Number (SSN) is a tool to ascertain the income of any American individual and calculate the amount of social security credit they¡¯re entitled to - based on their individual financial health. The US issues SSNs only to its citizens and doesn¡¯t collect any biometric data of the individuals that are enrolled in the scheme. Aadhaar, on the other hand, is an identity authentical tool with biometric markers to ascertain an individual¡¯s identity. This is not the only place where the similarities between Aadhaar and SSNs end. There¡¯s more.
Where SSN is a dumb number that¡¯s attached to an individual¡¯s profile in a company or US government agency¡¯s database, Aadhaar is a tool for authenticating a person¡¯s identity. Think of it like a digital key or a username and password of sorts which authenticates you into a digital system, wherever you¡¯re trying to prove that you are in fact you - in the eyes of the authority.
AFP
Increasingly, with Aadhaar, the authority can mean not just government agencies but also private entities -- for instance, Microsoft recently launched a version of Skype for India with Aadhaar authentication embedded within. Earlier, last year, and even now, Reliance Jio subscriptions required Aadhaar authentication of customers -- that¡¯s right, Reliance was pulling in Aadhaar data to confirm whether the fingerprints of a person waiting in line for the Jio SIM card matched with his or her Aadhaar card or not. The US¡¯ SSN was strictly meant for use by government agencies, but its abuse by the private sector has been identified as a crucial link for the rising number of identity thefts in America.
Ultimately, there are federal and state-level laws in the US that restrict the use of SSN across different government databases as a marker to identify a person¡¯s identity. Aadhaar, on the other hand, has been spearheaded by the government as a token across databases to identify someone within the country, to the extent where they leave a trail of transactions - in the bank, while booking an airline ticket, train ticket, buying a SIM card, and more.
Lastly, where the US firmly decided against encapsulating its citizens¡¯ biometric profile to the Social Security Number cards back in 2007, Aadhaar¡¯s use and proliferation is only going to increase in the days and months to come, as the government is pushing hard for its adoption across different central and private database systems.
How to secure Aadhaar like databases to prevent data breaches?
We all know that Aadhaar is leaky. In the face of this reality, there are only two alternatives that we have - either to destroy Aadhaar or plug its security holes in a way that they don¡¯t get exploited in the future (the latter is no easy feat). Maybe biometric databases are inherently doomed from a security perspective, who knows?
Mr Altaf Halde, who's the Managing Director at Kaspersky Lab - South Asia, a leading security company, has some important thoughts on the matter. "With the widespread adoption of biometrics, we have seen its amazing security slip. The technology¡¯s popularity is actually a major contributing factor to this slide, for two reasons. First, security specification standards for consumer goods are lower than they are in mission-critical implementations. Second, a broad field of easily obtainable gadgets gives criminals a huge test bed of consumer devices to experiment with and find more and more vulnerabilities for their own benefit, of course. The rapid development of 3D printing has also contributed to biometrics¡¯ vulnerability."
"Fortunately, biometric data is not stored as is," explains Mr Halde, "A server receives only hashed scanning results, making outright theft a less-attractive option. Nonetheless, criminals can still use methods such as man-in-the-middle attack, inserting themselves into the data transfer channel between an ATM and a processing centre to steal users' money, for instance."
As far as securing digital systems and databases online is concerned, it¡¯s important to take into consideration the potential of human error as the weakest link in the chain. Technology, of course, is a core part of any solution for dealing with malware, according to Mr Halde. But he believes it would be unwise to ignore the human dimension of security. He adds further, ¡°In the real world, we know that burglar alarms, window locks and security chains on the front door can be effective ways to secure a property. But they won¡¯t prevent an unsuspecting victim from jeopardising their security by opening the door to a stranger. Similarly, a corporate security strategy will be less effective if it doesn¡¯t address the human element. We need to find imaginative ways of ¡®patching¡¯ human resources as well as securing digital resources."
Finally, it's one identity versus multiple identities versus privacy versus...
When you think about Aadhaar, think about this: All of us have multiple identities online. Our identity on Facebook is different from that on Twitter; similarly what we share on Tinder is starkly different from what we share on LinkedIn, which is slightly different from the kind of conversations we have on Quora. And if anyone came to know of our secret profiles on X-rated websites. And what we are offline, away from our online persona, is something different altogether.
Now imagine if all of our multiple identities across these multiple websites were fused into one by a giant corporation, behind our back, in violation of the individual terms and conditions we signed up for when we willfully created an account on each one of them. Wouldn't that be scary? Wouldn't it be a violation of our trust? Imagine what a business-driven, profit-oriented corporation would do with that kind of intimate data -- data that which we thought was private, our own.
While it may have our best interests at heart, we expect our government to be at least slightly more sympathetic to our cause with our Aadhaar data than what a private corporation would ever be. Because there is absolutely zero margin for error, when the stakes are so stratospherically high.