Featured

Four Reasons You Should Worry About Aadhaar’s Use of Biometrics

Aadhaar is premised on the infallibility and security of an individual’s biometric data – her fingerprints and iris scans. But this is just a myth.

Unlike passwords and credit card information, once a person's biometric information is compromised, it can never be replaced. Credit: Flickr/cafecredit.com CC 2.0

Unlike passwords and credit card information, once a person’s biometric information is compromised, it can never be replaced. Credit: Flickr/cafecredit.com CC 2.0

The opposition to Aadhaar mostly centres on the issues of surveillance and privacy. While these are very important issues, the lofty platform on which Aadhaar stands is supported on the myth that biometric based identity is infallible, robust and safe. None of this is true, which therefore brings into question the very utility of Aadhaar, as also the unforeseen complications it may cause.

Need to update biometric information throughout lifetime

This is enshrined in sections 6 and 31(2) of the Aadhaar Act:

sec_6

sec_31

Five points are immediately apparent:

  1. This flies in the face of UIDAI’s repeated advertisements that Aadhaar enrolment is a “one-time” affair. It is not and will never be.
  2. This recognises the fact that biometrics is a changeable entity. Some of the obviously imaginable reasons are ageing, manual labour, injury, illness, etc. But is there a way whereby a person can look in the mirror or look at his fingers and estimate that he is due for update? There is no objective means to comply with the aforementioned sections.
  3. Since the promise of Aadhaar as a unique identity hinges on the uniqueness of biometrics, it would be logical to assume that any update to biometric data should go through the same rigour as a new enrolment. Regulation 19(a) under Chapter IV of the Aadhaar (Enrolment and Update) Regulations, 2016 is pretty clueless here:reg_19What biometric authentication, when the purpose is to update the biometrics? Is there implied expectation that the person is supposed to revisit the enrolment centre before all ten fingers and two irises go out of range?
  4. The conditionality imposed here is without precedent or law, not even for the worst convicts. Aside the ethical question, it is potentially a perpetual source of harassment, with no clearly defined solution.
  5. Periodic update of biometrics has already been institutionalized for the poorer sections of our society through such things as mandatory Aadhaar authentication for PDS rations. The other India can be easily netted by such things as mandatory eKYC for mobile SIMs from time to time.

No access to biometric records in the database

Section 28(5) of the Aadhaar Act disallows an individual access to the biometric information that forms the core of his unique ID. There are four problems with this.

sec_28

  1. This leaves no room to verify whether the biometrics have been recorded correctly or not in the first place, when that same information forms the basis of identity.
  2. This leaves open the possibility of fraudulently replacing a person’s biometric identity. Even the enrolment operator (with a software hack) could upload someone else’s biometrics against another person.
  3. This is totally unlike other identity documents (like say passport), where all information necessary to serve as proof of identity is printed on the document itself. It serves as receipt for the information supplied and is in the custody of the individual to whom it matters.
  4. As there is no access to the biometrics in the database, there is technically no means to ascertain beforehand whether one or more of the biometrics is due for update. The only way to guess is after facing an authentication failure on the field.

Uncertainty of biometric authentication

Under various sections of the Aadhaar Act (sections 4(3), 7, 8 and 57), an individual may be required to undergo biometric authentication as proof of identity. This is problematic for several reasons.

  1. Biometric authentication is essentially a method of image recognition (or pattern matching) and always results in a probabilistic score, rather than a clear match/mismatch. This has been clearly revealed in the security breach case involving Axis Bank, Suvidhaa Infoserveand eMudhra. The source of UIDAI’s suspicion was that several authentication requests yielded the exact same score, which could not be possible if live fingerprints were used.
  2. Variability of the matching score is influenced by a variety of reasons, like the way the fingerprint/iris image is captured, different makes of biometric devices and above all, ageing and resultant changes to the human body. Biometric authentication can thus never serve as a fail-safe proof of identity. It must always be supplemented by an alternative proof, which then defeats the very purpose of biometric identity.
  3. The entire burden of uncertainty is borne by the individual. If authentication fails on all counts, the only recourse available is to update the biometrics in the database, which is again governed by ambiguous regulations (see part 1).
  4. Large scale authentication failures are already a reality across states where Aadhaar authentication has been made mandatory for welfare programmes like PDS and pensions.
  5. Authentication using mobile OTP is sometimes advertised as a failure option to biometric authentication. This is a complete antithesis to biometric identity, as it essentially considers a person’s mobile no. to be his unique ID.
  6. Mobile OTP in the context of banking transactions is totally different, as it is used as an additional layer of security over and above PIN/password. Here it is being served as an alternative to biometric authentication, which effectively leaves mobile OTP as the only layer of security.

Risk of identity theft

Use of biometric authentication as a means of identity presents a persistent and immitigable risk of identity theft. The UIDAI’s defence is on three counts: one, the database is sufficiently encrypted and protected against breaches; two, biometric collection at the authentication end is encrypted (either in software or in hardware); three, there are penal provisions in the Aadhaar Act to deter any unauthorised access. But the technology behind Aadhaar is such that none of these measures is of any worth. Just consider the following:

  1. To commit an Aadhaar-enabled fraud, it is sufficient to fake the biometric authentication, so the security of the database itself is not a factor to consider at all.
  2. At the authentication end, no matter where the biometric image is encrypted, it is always possible to tap the raw signal just prior to that, using a software or hardware hack as may be needed. It is thus easily possible to both skim the biometrics of an unsuspecting user, as also supplant a previously copied image.
  3. If the UIDAI’s defence against copied biometrics is to flag exact matching scores through successive authentication attempts, it can be easily fooled by adding a small randomization to the sample each time.
  4. Biometric authentication can even be faked externally, without any software or hardware hack. Fingerprints can be copied from a variety of surfaces (even from the surface of the scanner device itself) and used to create a dummy finger. Similarly, iris image could be skimmed from photographs and supplanted on an artificial eye-like object. It should always be remembered that at the other end is a machine, so a few rounds of trial and error are all that would be needed to perfect the fraud.
  5. Through all the above, the only assurance that biometrics are captured from a live individual is the honesty of the operator, which is no improvement from the situation without Aadhaar.
  6. What makes biometric authentication particularly risky is that biometric identity once breached is unusable for life. Penal provisions to punish anyone are immaterial here. Contrast this with regular authentication systems based on password or PIN. They could be changed as a regular practice, or at least upon knowledge of breach.
  7. The potential gains from Aadhaar related fraud are huge, so we should expect people to invest their time, effort and money to stay ahead of the system.

L. Viswanath is engineering professional working in Bengaluru. He blogs at bulletman.wordpress.com.

Categories: Featured, Rights

Tagged as: , , ,

  • K SHESHU BABU

    As stated, the consequences of using aadhar by the rulers can be grave. Chances of frauds are high. Still, the government is trying to link and rope in as many schemes as it desires into aadhar fold, that too, frequently violating the verdicts of SC delivered from time to time. Unless awareness and protest against the linkage of aadhar increases, the process of ‘ aadhar – isation’ of indian people may continue smoothly …

  • Ashok Akbar Gonsalves

    The article raises several valid points. Thank you for the information.
    I found it particularly worrying that one does not have regular access to one’s biometric records in the database. With any other valid ID proof document, e.g. my passport, I always have the assurance that it is authentic and “with me” since I physically have it with me as my ID proof. That’s not the case with Aadhaar, because here my ID proof requires a matching of my fingerprints/iris with my stored biometrics, which I am denied access to. So in essence, my ID proof is not “with me”. How bizarre is that!

  • Ashok Akbar Gonsalves

    >>>> 2) I have seen my own mother’s fingers. They are worn completely smooth due to years of domestic work!<<<<<

    To add to that, sir:
    My wife suffers from an allergy that causes the skin on her fingers to become rough and even start bleeding during winter. Biometric attendance simply does not work for her at her place of work, so she has to use a conventional key card. Will Aadhaar technology solve her problem?
    Even in the most technologically advanced nation on earth – USA – they DO NOT TAKE biometrics for their 80-year old Social Security numbering system, and that's primarily due to two concerns that override everything else: privacy and identity theft. what do we know that they dont?

  • Ashok Akbar Gonsalves

    You think so, sir? Can you please tell me exactly what was wrong in my statement on the US Social Security Number system? I got my information from friends in the US, as well as this document from the US Social Security Administration website: https://www.ssa.gov/pubs/EN-05-10002.pdf
    From what I understood, what’s required for getting a Social Security Number in the US are: Proof of US citizenship (birth certificate, passport etc), age proof. identity proof (passport, drivers license etc) and a filled application form. That’s all. One need not even go to a Social Security Office – all the documents may be mailed to them.
    What am I missing here?
    Thanks!

  • Ashok Akbar Gonsalves

    My finger prints and eyes are obviously with me, but I cannot access my biometric records. Since BOTH are required to establish my identity – my fingerprints/iris AND the recorded biometrics – and I cannot access the latter, its pretty clear that effectively my identity is NOT WITH ME. In contrast, I can show my passport at anytime (at the airport, e.g) and that proves then and there that I am who I claim to be. Without the immediate availability of a working authentication system (by which I mean the authentication machine and internet connectivity to the biometric records server), Aadhaar is NOT AN ID PROOF.
    I think that’s a simple logical deduction, sir. IMO, it is YOU who has got your arguments slightly mixed up, sorry to say.

  • Ashok Akbar Gonsalves

    Thanks for the reply – appreciate it.
    But, I don’t think you are right – mere possession of the Aadhaar card does NOT make it a valid ID card and here’s why:
    Refer to this: https://scroll.in/article/832595/privacy-security-and-egality-are-not-the-only-serious-problems-with-aadhaar-here-are-four-more
    As stated by UIDAI, a black and white print out of the downloaded Aadhaar card is as valid as the original Aadhaar card sent by UIDAI – but this is JUST FOR THE INFORMATION CONTAINED THEREIN, not as an ID. And note what UIDAI further goes on to say (Clause 4): “……Aadhaar number may be accepted as proof of identity of its holder BUT SUBJECT TO AUTHENTICATION.”
    And that’s how it should be because a mere black and white printout can be easily forged and misused and so biometric authentication should be mandatory for establishing identity.
    Biometric authentication is THE CORNERSTONE of Aadhar – just having a card is pretty much useless as your ID proof.

  • Ashok Akbar Gonsalves

    Thanks for your reply. Sorry, but I dont think that’s the way it works. To “verify the identity”, a biometric match is necessary. There’s nothing like “authenticating a transaction” – there’s only authentication of the identity and Aadhaar does that ONLY through biometrics. That is the basic premise of Aadhaar.

  • Ashok Akbar Gonsalves

    One other point – even if I assume that what you say is correct (i.e. someone can punch in my Aadhaar number to access my details and verify my identity without biometric matching), it again brings us back to my original contention: mere physical possession of the Aadhaar card in some form is not enough to establish my identity, which means my identity is not WITH ME. I cannot just flash my Aadhaar card and say “Hey, I am XYZ”, like I CAN do with my passport.
    Thanks!

  • Ashok Akbar Gonsalves

    Thank you for your reply, sir. But you are completely missing the point, which is: The UIDAI says that a simple black and white print out is good enough BUT ONLY FOR GETTING THE INFORMATION on the card itself, nothing more. The card by itself, or its printout, is NOT AN ID PROOF. And that makes sense BECAUSE print outs can be easily forged. Denial of access to biometric data has NOTHING TO DO with risk of forgery of the card, simply because the biometrics are not dependent on the card.
    Please try to understand the issue here.

  • bulletman

    No one knows that, unless you take govt. propaganda at face value. The fact is that all people who are not submitting Aadhaar are struck off the rolls. Those who have submitted are also facing lot of problems due to authentication failures. This is the reality from Rajasthan, AP, Jharkhand… A large part of the “savings” is actually money unspent on erstwhile genuine beneficiaries. The govt.’s lie was exposed when it tried to pass off savings in LPG due to falling crude prices as being due to DBT.

  • mathew162003

    It has been established by joint research of 4 of the topmost US National Academies, ( Academy of Sciences, Academy of Engineering, Institute of Medicine and the National Academic Research Council that biometrics is “inherently fallible”. The gullible fall prey to corporate lobbyists pushing the biometric recognition wares. Two received awards from the biometrics International consortium – Pakistans. Tariq Malik, Chairman of NADRA and Nandan Nilekani former chairman of UIDAI.