As Security Violations Erupt, Operator of India’s Biometric Database Stands at Troubling Crossroad

Why was the Delhi police and not a national investigation agency roped in to probe what may be the first publicly-known misuse of biometrics by an authorised agency?

On the streets of Hyderabad, one can purchase an Aadhaar number or a copy of an Aadhaar card for as little as Rs 5 per copy from small traders – xerox shops and the like. ‘Data brokers’ in Delhi and Mumbai, if one goes by well-sourced rumours, offer the same in larger quantities and at bulk rates. This was sparked in some measure after demonetisation, when the demand for Aadhaar numbers and a number of other identification cards was at an all-time high.

Identity theft is not new in India and it has increasingly become clear that there are a number of technical and interrelated privacy concerns surrounding the Aadhaar system.

While privacy advocates have been demanding investigations into a number of isolated (yet concerning) incidents over the past few years, the Unique Identification Authority of India (UIDAI) has paid little heed.

In the past few weeks, there have been three major incidents related to violation of privacy and security of Aadhaar. The first is an incident that I am directly involved with, where a website was found to have publicly displayed the Aadhaar numbers of over five lakh minors. This website was eventually shut down – although we don’t know for how long the data was online, whether the guardians of these minors in question would be notified of such a data breach and whether any criminal or civil action is being taken against the operators of the website.

The other two incidents are inherently linked. Earlier this week the Chairman of the Skoch Group, a think-tank known for its governance awards, wrote a post that alleged issues with Aadhaar’s security; notably with the way several intermediaries stored biometric data. The post included a video that showed an Android application performing an Aadhaar authentication process by storing a user’s biometrics after the initial first use.  The UIDAI CEO, who initially called it fake on Twitter and ignored the allegation, has now likely ordered an investigation over such a possibility.

The Aadhaar act limits the scope of an individual to file a complaint about misuse of his own Aadhaar information. It is only possible for UIDAI to order an investigation as defined in the Act, which understandably leaves the general public worried. It also classifies the biometric information as sensitive personal data and makes it a crime to store any such data. Any offences committed under the Aadhaar Act could attract jail time for up to three years.

The last, and third, incident is probably most significant. Just a week after the Skoch incident, media reports showed that the identification authority had issued notices to three agencies – who had been authorised by UIDAI to act as important intermediaries in the Aadhaar infrastructure pipeline – and issued notices about possible misuse of user biometrics under sections 29, 37, 42 and 43 of the Aadhaar Act.

But who are these authorised agencies and what do they do?

A look at Aadhaar's infrastructure pipeline. Credit: CDAC

A look at Aadhaar’s infrastructure pipeline. Credit: CDAC

The three agencies in question are Axis Bank, Mumbai-based Suvidhaa Infoserve and Bengaluru-based eMudhra.

These companies are basically service providers empanelled by UIDAI to provide authentication and e-KYC services of Aadhaar to other private players by connecting to Aadhaar databases through an Authentication Service Agency (ASA). An authentication user agency (AuA) provides authentication services to identify Aadhaar holders, a KYC user agency(KUA) would provide services to know your customers(KYC). There are other companies like Suvidhaa Infoserve which is a application service provider which provides software to AUA or KUA agencies. The Aadhaar infrastructure ecosystem has a lot of companies which were involved in creating the database and currently provide access to it for other companies through application programming interfaces (APIs).

A notice received by an authentication user agency from UIDAI as shared by Skochs Group CEO on Twitter. Credit: Twitter

One notice received by an authentication user agency from UIDAI as shared by Skochs Group CEO on Twitter. Credit: Twitter

In its notice, UIDAI has alleged that there were concurrent transactions (separate transactions happening at the exact same time) with the same biometrics through these agencies. These transactions could not be possible if the agencies had not locally stored the user’s biometric data. In cyber-security parlance, this is commonly known as a ‘relay attack’ where a person’s legitimate credentials are used to perform fraudulent transactions.

Plain, common-sense logic tells us that the time difference between different and separate requests should be take couple of minutes – even if a second transaction was initiated almost immediately. In their defense, at least one of these agencies have claimed that they were performing application testing and that the tester was using his own biometrics. Even if that was the case, any programmer familiar with testing would ask why was the testing being performed on production Aadhaar servers, which store sensitive information, than on a secondary staging server with test data?

With its notices, UIDAI has finally acted on what’s currently to be believed as first public misuse of biometrics by some of the authorised agencies in its infrastructure pipeline.

Parallel databases

It is an open secret that nearly every state government and its police department are building their own parallel databases based on Aadhaar data. These parallel databases now seem to be storing biometrics as well. This creates debate over Aadhaar-enabled payments and financial fraud and not just only about privacy.

It is interesting to know that a user’s biometrics being stored at collection is certainly possible and is an attack vector listed by a research study conducted by IIT Delhi. The study briefly mentions how the UIDAI has put in place several steps to prevent and has mitigations to prevent similar attacks. But if the entire collection process has been conducted through unsecured biometric devices, then no cyber security agency or professional can do anything at this stage.

Based off the UIDAI’s complaint, it would not be a complete stab on the dark to to assume that hardware which collects biometrics could be compromised. Security issues exists at multiple levels. Hardware security is more important than software layer, as software can be upgraded or patched but issues in chip design cannot be changed overnight. For example, If you are using a Chinese phone to collect biometrics, there is some likelihood that the Chinese manufacturer could be sending data to a remote server without anyone knowing. An RTI filed (shown below), that asked if UIDAI had a list of authorised biometric scanners, went unanswered. However, soon after that, authorities announced that such list was being created.

A copy of the RTI concerning authorised hardware manufacturers.

A copy of the RTI concerning authorised hardware manufacturers.

While this certainly could be a false alarm altogether, it is UIDAI responsibility to investigate every such complaint. What is strange though that the Delhi cyber crime cell has been asked to investigate this instead of national cyber investigation agencies like the CBI’s cyber crime cell, or CERT-In or the National Critical Information Infrastructure Protection Center (NCIIPC) under grounds of national security. Delhi cyber crime’s cell has only been functional for the last two years, and whether it has the technical capability to look into such matters is a serious question. As Aadhaar is a project of national importance, there is a stronger case to be made for national cyber security agencies to be involved in this matter.

The closed manner in which UIDAI has been conducting these matters undermines the security of a billion people. Take for instance the issue of a website exposing the Aadhaar details of lakhs of minors. After filing the complaint, we are yet to receive acknowledgement or an enquiry from the UIDAI or other relevant authorities, even after filing an incident report. How are individuals to claim compensation if this isn’t a two-way conversation? While it is certainly an encouraging step, that the UIDAI has sent notices involving a few hundred potentially fraudulent transactions, this closed atmosphere needs to change immediately.