The Aadhaar ‘breach’

Suranjana Roy, reporting for LiveMint:

The UIDAI filed a police complaint on 15 February against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, alleging they had attempted unauthorized authentication and impersonation by illegally storing Aadhaar biometrics.

In terms of details:

The breach was noticed after one individual performed 397 biometric transactions between 14 July 2016 and 19 February 2017. Of these, 194 transactions were performed through Axis Bank, 112 through eMudhra and 91 through Suvidhaa Infoserve.

In a statement issued by the UIDAI, they said:

With reference to an incident of misuse of biometrics reported in a newspaper, UIDAI said that it is an isolated case of an employee working with a bank’s Business Correspondent’s company making an attempt to misuse his own biometrics which was detected by UIDAI internal security system and subsequently actions under the Aadhaar Act have been initiated.

It looks like an employee working within the Aadhaar framework played with the data (the UIDAI says it was his own data), and that it was UIDAI that flagged the issue and filed a criminal case against the parties involved. In technical terms, the Aadhaar database was not hacked or breached, but human access of the platform was misused. Moreover, it is the important to note that it is the UIDAI’s own systems that eventually picked up on this misuse.

But it does raise some of the larger points the opponents of Aadhaar keep highlighting — trusting any entity with data, particularly biometric data, is unsafe by definition. There is though, the point wherein a unique identity system in a country like India where benefits, subsidies and other services are rampant and untraceable, having a unique, two-step verifiable method to verify citizens’ access to schemes, and rooting out corruption has already brought about numerous benefits.

I’d love to have a more detailed debate on Aadhaar, one covering the Act, the change in its provisions in March 2016, and the larger point of making where to take Aadhaar in India — including how it is administered/delivered, privacy regulations, and more. Please comment if this is something you’d be interested in doing, and we’ll see how we can give this discussion some shape.

One final tidbit:

There has been no incident of misuse of Aadhaar biometrics leading to identity theft and financial loss during the last five years when more than 400 crore Aadhaar authentication transactions have taken place, according to Unique Identification Authority of India (UIDAI).

Notwithstanding the population of India, that is still a lot of transactions.

Chirag Desai @Chirag