India's Biometric Identity System Tracks Nearly a Billion People
Inherent vulnerabilities
Besides the central storage vulnerability in the Aadhaar system, there are inherent security risks to using biometric data for identification and authentication. For one, biometric data can be faked. Security experts have been fooling fingerprint scanners with counterfeited fingerprints for decades to proof that point. Since then, every self-respecting hacker/security conference has at least one talk explaining how to fake fingerprints or iris images.
Admittedly, in an infinite universe any security measure be it a passphrase or physical key can be broken or faked. But the additional problem of biometric data such as fingerprints or DNA is that you leave a trail of it behind you right there for the taking. And unlike a passphrase or key, you can't revoke or change it.
Function creep
India's government is promoting the Aadhaar system as a means to get state services to the people, especially the poor. But once a comprehensive database of all of India's residents exists, function creep - using the system for something other than it was originally designed – is waiting to happen. The chances of some state agency or other actor demanding access for purposes outside of the original scope are more than likely. In fact, it already happened.
In 2014, India's Central Bureau of Investigation (CBI) demanded access to all the biometric data of all residents of the state of Goa who had signed up for Aadhaar with the hopes of identifying the perpetrators of a gang rape. The UIDAI refused citing privacy concerns but lost in the lower courts. Eventually, the Supreme Court sided with UIDAI, ruling the data can not be used without consent of the Aadhaar number holders. But the CBI request revealed what irresistible juicy bite the CIDR is. "Once you create an ID system, other things happen. The most inevitable one is that government departments—like the police—want to access it. A database exists and I want to use it", Abhijit Sen, a member of the Planning Commission which presides over the UIDAI is quoted saying in The Economic Times.
Lessons learned
The Supreme Court's ruling took place during a time when Aadhaar wasn't yet defined by a law of its own, which gave the Court maneuvering room. But the Aadhaar bill passed in the lower house last week has enabled law makers to determine how the CIDR data may be utilized. And it seems the lesson they took away from the Court's decision is to make sure that, next time around, government agencies will get access to the data.
Clause 29 of the Aadhaar bill provides strong privacy protections: “No core biometric information, collected or created under this Act, shall be— ( a ) shared with anyone for any reason whatsoever; or ( b ) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.”
However, Clause 33 strips away those protections by creating two exceptions. The UIDAI must comply with requests for disclosure of information when served with a court order or when made in the interest of national security. The term national security is not defined in the bill, and thus, open to interpretation, creates a barn-door-sized loophole.
Besides the central storage vulnerability in the Aadhaar system, there are inherent security risks to using biometric data for identification and authentication. For one, biometric data can be faked. Security experts have been fooling fingerprint scanners with counterfeited fingerprints for decades to proof that point. Since then, every self-respecting hacker/security conference has at least one talk explaining how to fake fingerprints or iris images.
Admittedly, in an infinite universe any security measure be it a passphrase or physical key can be broken or faked. But the additional problem of biometric data such as fingerprints or DNA is that you leave a trail of it behind you right there for the taking. And unlike a passphrase or key, you can't revoke or change it.
Function creep
India's government is promoting the Aadhaar system as a means to get state services to the people, especially the poor. But once a comprehensive database of all of India's residents exists, function creep - using the system for something other than it was originally designed – is waiting to happen. The chances of some state agency or other actor demanding access for purposes outside of the original scope are more than likely. In fact, it already happened.
In 2014, India's Central Bureau of Investigation (CBI) demanded access to all the biometric data of all residents of the state of Goa who had signed up for Aadhaar with the hopes of identifying the perpetrators of a gang rape. The UIDAI refused citing privacy concerns but lost in the lower courts. Eventually, the Supreme Court sided with UIDAI, ruling the data can not be used without consent of the Aadhaar number holders. But the CBI request revealed what irresistible juicy bite the CIDR is. "Once you create an ID system, other things happen. The most inevitable one is that government departments—like the police—want to access it. A database exists and I want to use it", Abhijit Sen, a member of the Planning Commission which presides over the UIDAI is quoted saying in The Economic Times.
Lessons learned
The Supreme Court's ruling took place during a time when Aadhaar wasn't yet defined by a law of its own, which gave the Court maneuvering room. But the Aadhaar bill passed in the lower house last week has enabled law makers to determine how the CIDR data may be utilized. And it seems the lesson they took away from the Court's decision is to make sure that, next time around, government agencies will get access to the data.
Clause 29 of the Aadhaar bill provides strong privacy protections: “No core biometric information, collected or created under this Act, shall be— ( a ) shared with anyone for any reason whatsoever; or ( b ) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.”
However, Clause 33 strips away those protections by creating two exceptions. The UIDAI must comply with requests for disclosure of information when served with a court order or when made in the interest of national security. The term national security is not defined in the bill, and thus, open to interpretation, creates a barn-door-sized loophole.
Read full article
Hide full article
Discussion (1 comment)