Some comments on Aadhaar or Adhar:

Some comments on Aadhaar or Adhar:

Firstly unlike a password, biometric data is not secret and also not in full control of the owner of biometrics. Biometric data today are shared not only with Aadhaar authorities but practically everywhere, including attendance systems and banks. Even on table and doors accessed by that individual.

The same problem (and more) exists with passwords. How do you stop someone from using the same one everywhere (and therefore being hacked somewhere else and then his Govt ID being abused?). From writing it down and sticking it in a drawer or on a computer screen? When it is so easy to reverse engineer, imagine tying critical services to a unique ID with a password? Even companies are moving away from just passwords (or in some cases passwords altogether). So I would argue that a password is not secret at all, and easily transferable and reverse engineered.

So then the question is, is biometrics more reliable and secure? The answer would seem to be yes.

The video has been taken down so I have no way of verifying it. But considering Google/Apple continue to use fingerprints and every notice so far of copying fingerprint is anecdotal, and that Aadhaar’s CIDR is not using just 3 points of fingerprint matching.

Financial support to non-citizens

Section 9 clarifies that Aadhaar is not the proof of Citizenship or Domicile. This means that benefits accruing out of Aadhaar will be niraadhaar (without basis of Citizenship). It is very strongly recommended that a special mark must be indicative in Aadhaar number itself (like * mark) to show that the person is NOT a citizen of India. The government has passed repeated orders to identify Indian Citizens but there appears to be no progress in this regard. In any case, the requesting entity must know if the person being enquired on is Indian or not.

I think this isn’t the right line of reasoning. Aadhaar isn’t a proof of citizenship (it is a form of identification/authentication), and therefore Aadhaar is not the basis of a subsidy either. Aadhaar is needed to avail the subsidy, not qualify for it.

For example, a certain maximum balances qualifies a JanDhan account, or a certain income level qualifies you for an LPG subsidy. UID then helps ensure that the subsidy is passed on to the qualified person correctly (and alternatively you have the guarantee the bank account was opened in your name correctly). Aadhaar doesn’t help you qualify for EPFO, it ensures you get your EPFO in your bank account, etc.

Point is, the qualification of a subsidy has not changed, and aadhar is not being used as a basis of that determination.

Financial Risk

According to section 11(2), the authority will be a body corporate, which means it will be covered under section 43(A) of the Information Technology Act and rules made thereunder. It also means that the authority will not have protection provided to the government in case of any failure. If for any reasons, any core biometric information is lost, then the authority will be liable for civil liability of unlimited amount. Unlike the other methods of authentication, biometric loss is lifelong loss, hence the liabilities of such loss will be far enhanced. In a case of complete loss, the civil liability may be few lakh crores. Is the authority or the government ready for such loss?
Will the government be morally right to pay for such loss to the citizens of India from the money collected through taxes from citizens of India, for its own incompetence? The Act is silent on this risk assessment.

Fair point. This will also need to be separated against breach (of even rules, not necessarily of data) that may occur within the ecosystem vs by the UIDAI.

Secondly, Biometrics are permanent; unlike a password or a smart card, they cannot be changed. God forbid, if the complete Aadhaar database is compromised (like that of Sony) and which must be expected to be so, the biometrics of all citizens will be compromised. Isn’t it far too big a risk for the government to take? Access to sensitive areas such as defence installations, which use biometrics as access control, will automatically become unusable for life of that senior defence officer. There is no way to correct the situation, unlike password and token.

There are numerous things that need to be done — this is what I stressed on during our Twitter chat — to ensure the system is secure. Everything from encryption methods, process certifications, splitting the DB into pieces so access to a single database does not compromise us in entirely are being done.

Numerous governments collect biometrics from their residents and also their visitors. Do we have any cases of them being leaked and then misused? There is an inherent security by purpose that requires Governments to do everything in their power to ensure the security of this database. Having reviewed within my limited expertise the access to CIDR bits, i.e., over the API, I am assured that it is not going to be easy to pull data out.

The challenges in this field will increase manifold as financial transactions based on biometrics increase. For example, the government had ordered that App Praman is used for giving life certificate for all pensioners. An individual can create his artificial fingerprint and give to his own family to continue to draw full pension even after his death.

Sure, but once the death is registered and the Aadhaar is then locked, what good is the fake fingerprint? And they wouldn’t be able to register a new person with the fake fingerprint either once the person is logged in. So it becomes a closed door.

Section 14 does not limit the citizenry of chairperson and the members of the authority, hence it is possible to appoint a chairman who is neither Indian nor resident of India. It is, therefore, necessary to make appropriate amendments in section 14 which should state that the chairperson and members should be ‘resident Indian citizens’ only. If we cannot get a reasonably competent person to be chairperson or member of the authority then it is a matter of shame. Additionally, if such persons are foreign nationals then ensuring compliance of Section 16 will be impossible.

Agree, there does not seem to be any limitation of citizenship on the authority, except indirectly and only on certain positions. I agree this should be explicit.

To your other point, you’re right as well, the Act does not quantify what violation of breach of UIDAI members would be (in case of the cool off period for instance). So a) I hope that is correct but b) it must be remembered that the law prohibits a cooling off period, meaning that a Court can then apply a reasonable punishment despite a lack of definition.

Relationship with Software, Hardware and Database Vendors

There has been repeated questioning of the UPA government in respect of the contract it has signed with various software and hardware providers and database maintainers, especially the contractual agreement between the Authority and MongoDB. Neither the UPA government nor the NDA government issued any clarification in this regard.

The issue I have the constant mention of MongoDB is that there is no mention of this anywhere. To some extent, the level of agreement and other specific details of the infrastructure should be limited (and clearly is). What has been made clear is that multiple technologies are in use (for example 3 open source softwares are in use for deduplication) with a focus on open source to eliminate proprietary restrictions or lack of support.

If the silence is considered as acceptance of this contractual flaw, then section 22B has extended this contractual liability forever and shared the private sensitive data of Indian citizens and residents with the US government. The charges are serious and silence is not an answer.

I don’t believe silence makes something accepted or contractual. Do we have a right to know — thereby giving someone with malintentions the right to know — this we can debate. While I have heard the MongoDB arguments multiple times, I’m yet to see anything verified that use of MongoDB automatically hands anything to the US Government, but the problem with something ambigious is both sides can keep fighting without something verifiable. That said, if Aadhaar is disconnected from the open world (as it is listed to be), connectible only via verified vendors and through specified APIs, this would still severely limit any one’s access to data.

But the point you make here starts with an assumption, and if that assumption is wrong, then the rest does not flow. There has been no indication that technical safeguards are not in place — things like separating storage of different pieces of data across independent DBs, encryption models — which are in fact in place.

Section 23(2)(c)empowers the Authority to appoint an entity for operation of Central Identity Database Repository (CIDR). However, no limitation has been put in this regard that Indians’ core sensitive data will not be handed over to a foreign entity. There is a precedence of such misuse, which has serious national security impact.

Actually the law is quite clear re: core sensitive data, coming from Section 29 (1)(a), that it cannot be shared ‘with anyone for any reason whatsoever,’ other than for ‘national security’, which in turn, has to be verified by an Oversight Committee, followed by a Court order.

Attempt to Risk Transfer

The risk in case of leakage of personal sensitive data of ALL Indian citizens is enormously high and irreparable. Once biometrics are lost they are lost forever, no change is possible. Through Section 28 (4)(c ), the Act has made a weak attempt to transfer such risks to the consultants and advisers which is neither practical nor possible to meet the civil liabilities in case of loss of any core biometric information. In case the decision to implement any advice is that of the Authority then the liability also must rest with the Authority. Only limited liability up to the fee so paid can be charged from Advisers and consultants. No court will support such open-ended provision.

With over 400 crore auth transactions and no clear stealing of data having been done, this is an assumption. Yes the risk is high and hence the safeguards are also high.

Where does the Act limit liability of violation? In fact, due to Section 29 (1), sharing core biometric data is a serious violation of law, even if punishment has not been specified.

Second, Section 28(4)(c ) actually imposes requirement on the UIDAI to ensure that agreements are entered into are correct and compliant with the Act. The Act says that core biometric data cannot be shared with anyone. Therefore any agreement that allows this sharing is a continued violation of this law, as well as any provisions under IPC/IT Act. See the immediate next Section 28(5) that no one in the Authority can reveal information inside the CIDR to “anyone”.

Intelligence Gathering

The Bill at Section 13(3) allows the intelligence agencies to dip into the core biometric information and even extract it for an individual or group

No idea what this is. There is no section 13(3) and no, no intelligence agency has any provision within the Act to “dip into the core biometric information”.

In fact, in 2014, the CBI wanted Aadhaar biometric details of an individual, which the High Court ordered. The UIDAI filed a response in the Supreme Court, to which the Supreme Court ordered, and I quote:

“In the meanwhile, the present petitioner is restrained from transferring any biometric information of any person who has been allotted the Aadhaar number to any other agency without his consent in writing.”

The UIDAI’s request was upheld and the Court ruled that even transfer of information to investigative agencies had to be done with ‘consent’ of the holder.

Additionally, the Act is silent on security and privacy of the databases collected by Intelligence Agencies over a period of time, interacting with CIDR. And with this single mechanism, Gestapo or Nazi type operations can be easily launched. Unlike many advanced countries, India does not have an Intelligence Services Act to fix accountability. Hence this can lead to serious breach to freedom of citizens. (I have personally suffered such abuse by Intelligence Agencies).

I feel you are referencing the Bill 2010 perhaps. The 2016 Act is *not* silent on security or privacy of interacting with the CIDR, and the Regulations further define this. While i’m sorry you have sufferenced abuse by Intelligence Agencies, this does not flow from the law.

To clarify, I understand you’re targeting the implications of breach. But the question is always in the process — is the law solid, and then if so, is it being implimented/adjudicated correctly. So my argument is that the law actually entails enough provisions to help protect everywhere and illegitimize items like you mention in terms of interacting with CIDR.

Target of Cyber warfare

Central Identity Data Repository (CIDR) will be a valid and lucrative target for cyber war. Operation PRISM, Vault 7 and many other leakages of information of NSA (USA) have clearly established that the agenda of United States is to have cyber supremacy over the world.
[…] It may be noted that the RSA designed algorithm has inbuilt security loophole for the US Government to hack into any system / individual using it. Therefore unless such algorithm, including its random seed generator are written, vetted and certified in India, it will be serious cyber war-related security threat.
India has the capacity to write such codes and vet + Certify them, but it is not clear if the source code of these algorithms have been written in India and vetted by a different Indian authority or not. In case these are provisioned directly from where the software and database have been procured, then it must be assumed that CIDR stands already compromised, and US government already has Aadhaar CIDR data.

Again we’re starting with an assumption, which if incorrect crumbles the entire argument. What is however clear from various technical documents published by the UIDAI, the CIDR does not run on a single piece of software and therefore even if we were to concede that a piece of software came direct and the US government has some way to break that (remember that just hackable software isn’t enough, you need to be able to reach the servers running *that* piece of software to do something with it, but fine), even then it does not automatically flow that the US Government has Aadhaar data.

RSA is not the *only* encryption algorithm in play. In the layer where it is involved, it is combined with ECB. The other encryption layer uses AES/SHA-256. I have already highlighted how well each of these algorithms are rated, and cite a report by the European Network of Excellent in Cryptology. I will make the assumption here that they would not be going around recommending encryption that is loopholed by the US Govt.

Minimum Punishment with Complex Procedures

Chapter VII of the Act shows that the Government is NOT serious to punish anyone in case of any breach. On one hand, the Act agrees that it is collecting personal sensitive data of all residents of India, but on the other hand, there is no offence mentioned which has punishment more than three years of imprisonment.

The argument is subjective, but as we debated on Twitter, offences can be compounded with IPC or the IT Act, which carry their own terms of imprisonment.

Just logically, the Act has made establishes what is legal. A Court’s interpretation therefore would be that failure to correctly collect data or misuse of data would be, by definition illegal. In the event that the Law does not specify punishment, the Court can fill the gaps. With respect to the offences listed there — such as the case where an agency revealed someone’s Aadhaar number even if inadvertantly — the UIDAI is the fine that has to file the case. The expectation then is that the citizen’s right to grievance redressal (guaranteed under Law as well), will then be furthered by the UIDAI in the event of violation. However, I contend that should the UIDAI fail in guaranteeing the person’s right to grievance redressal, you have a right to ask the Court to intervene, by virtual of it being illegal under the Act itself.

The world is well aware of the case of Edward Snowden stealing this type of information from the National Security Agency of USA. In case of similar act by any employee of the authority, the maximum punishment is just ONE year imprisonment with fine of Rs. 25,000/-.

Edward Snowden stole biometric data? Or confidential documents?

Does the Government intend that if an employee of CIDR who has authorised access takes unauthorised copies from CIDR, he is not a serious offender? On similar lines, if the chairperson and/or members compromise anything related to Aadhaar, no action can be taken against them unless the same authority complaints against itself [refer section 47(1)]. Even Government has no power to make complaint for any such criminal liability.

The law does not guarantee this authorized access, and legally it is clear that it makes him a serious offender, albeit without a specific sentence.

The Government has cut its own hands; it cannot even issue directions related to technical or administrative matters (submitting complaint for an offence is an administrative action and not a policy issue) as the Aadhaar authority becomes ultimate authority in such matters under proviso of Section 50(1).
Thus we have a situation where ONLY on the ‘complaint’ of the Aadhaar Authority a criminal proceeding can be initiated; Police investigation is NOT necessary; such offences despite being of low punishment value can be tried ONLY in CMM or Session Court; but no court can give punishment more than three years of imprisonment.

If the Central government would have given itself superceeding powers, wouldn’t the argument have been that ultimately you want an independent entity managing this and not misuse by political pressure? This is the reason for these provisions and in fact, makes sense. But also note Section 50(2): “The decision of the Central Government, whether a question is one of policy or not, shall be final.” We can’t have a discussing about wanting foreign Govts out of the security loopholes that may exist but also want the Central Govt to have powers to use technical shortcomings right? You want the politicos out of the administrative matters — pertaining to maintaining, running operations, etc as well.

The problem again is that of isolation, one rule does not negate the other. Firstly, the police wouldn’t be involved anyway. Second, it must be remembered that everything pertaining to the CIDR and its definition comes from the IT Act (the CIDR is a protected system under Section 70 making it punishable with a 10 year term) and a CII under NCIIPC making even the attempt to break into it an Act of cyber terrorism.

I want to finally comment on this line:

It appears that the present Government has picked up the pathetically drafted Aadhaar Bill prepared by UPA Government, dusted, rehashed it at a few places[…]

How? The sheer number of differences between the two bills is monumental (see this), not to mention that the Bill did not even have a definition for core biometric data, let alone its protection. This, in and of itself, cannot be considered “rehashed in a few places”, sorry.

The fundamental issue—compounded in India due to our sheer numbers—is how do we ensure service delivery without identification. Aadhaar attempts to solve this bottom line. Without the Act though, Aadhaar was horrendously problematic and I believe the Act takes care of numerous issues that would have severely hindered both adoption and utilization. Unlike other government IDs like a passport, it will be harder to fake—you can still create a fake number for example, but when a services require you to authenticate, each auth will be verified making it that much harder to game the system, which is why I like it better.

Some of the issues you raise such as where things say ‘will be explained by Regulation’ actually are explained in Regulation (there are 5 Regulations simultaneously introduced that specify other elements). My problem arise at assumptions that something is just flawed, or worse, We’d be fools to think there isn’t scope for improvement in the law so I say let’s continue to suggest those.

Chirag Desai @Chirag