REAL DANGER: Apart from data leakage through inadvertence, there is very real danger than cyber-smart crooks will use technical scams to gain control over Aadhaar data and rob people en masse. Even more worrying is the national security issue highlighted in Dr Kelekar’s affidavit wherein terrorists may theoretically gain access to troop locations through such linking!
In the wake of the Supreme Court judgment on January 30 upholding the right to privacy the government may not be able to force Aadhaar down the throats of the people except for those who may need to avail of subsidised services. As the deadline for linking of phones and bank accounts to the Aadhaar card draws near, security issues and challenges continue to loom large with no solution in sight…
By Rajan Narayan
WHEN you go to the passport office to make a new passport or renew your old passport they do not rely on the data that is embedded in the Aadhaar card. Unlike in the past, every passport office of the Government of India insists in taking its own photograph, fingerprints and eye prints. When you go to a bank though they may ask you for your Aadhaar card they have their own systems to check the authenticity of your name address and other details under the ‘Know Your Customer’ (KYC) norms. Similarly when you apply for a Pan card the agency concerned verifies the details of your identity itself and does not go by the Aadhaar card.
Incidentally banks keep sending you an sms not to provide details of your credit and debit card to any stranger or even to their employees. The problem with Aadhaar is that the details or the KYC are collected not by the UID organisation but sub-contractors. So there is no guarantee that sub-contractors will not leak the information.
You are the owner of your fingers. You are the owner of your hand or thumb. You are the owner of your eyes. But the lines on your fingers could change due to hard manual labour or age. There have been cases of miners in Jharkand not being able to verify their fingerprints because the lines on their labour-scarred fingers have changed. Even the eyes or retinal print embedded in the Aadhaar card could change if you have a cataract operation.
The agency which records your details which appear on your Aadhaar card may bend the rules and not insist on birth certificates and proof of residence when they issue a card to friends and relatives. Moreover the address proof is a major problem for over 70% of the population who may not have their own homes. In rural areas, over 80% of the residents are agricultural labourers who migrate to the cities at times of drought.
Similarly a number of young people are compelled to move out of their home towns in search of jobs. Goa is an ideal example where more than 50% of the population are migrants who rent accommodation, big small or tiny, on a leave and license for 11 months. Which means that the address they have given in the Aadhaar card may not be the one where they are staying now. It is not convenient for them to give their permanent address in their home town as they probably visit only once a year.
Hence the Aadhaar card cannot even be relied upon as proof of address, let alone proof of the date of birth, education levels and other details of the citizens of India.
It is a catch 22 situation. If you do not have proof of address or are not literate enough to fill a form you cannot get an Aadhaar card. If you do not have an Aadhaar you cannot get your rations or subsidised gas or a mobile connection or open a bank account. If you do not get rations you may starve to death as many families have done.
So there are many concerns over Aadhaar including the Right to Privacy. There is no reason why everyone should know the details of the colour of your eye and the size of your finger or where you stay. At the moment there is no security with regards to the data on the Aadhaar card as proved by the young reporter Rachna Khiara of the Tribune in Punjab who was given access to the Aadhaar information of lakhs of individuals on the payment of just `500.
We are happy to reproduce verbatim the affidavits filed in the Supreme Court by one of the country’s top cyber security experts, Dr Samir Kelekar, who has worked for a leading company in Silicon valley. Dr Samir Kelekar has also been among the guides of the DG of Goa Muktesh Chandra who is a doctorate in Cyber security.
Dr Keleker is the son of Gurunath Keleker, whose portrait is the part of the homage to those who fought to preserve Goa’s identity, put up at the Opinion Poll Square in Colva.
A F F I D A V I T
I, Samir Kelekar s/o Gurunath Kelekar, aged about 53 years and resident of # 337, 2nd Floor, Amar Jyothi Layout, Dom
hereby solemnly affirm and declare that :-
- That I have working experience of more than thirty (30) years in the field of IT and about 15 years of experience in the field of cyber security and that currently I am heading a company which I founded for the purpose of providing security solutions to organisations which need to protect themselves against Internet / Cyber / digital frauds.
- That my firm’s name is M/s. Teknotrends Software Pvt. Ltd.
- That I graduated in electrical engineering from the Indian Institute, Mumbai (IIT, Mumbai) in 1983. Thereafter I obtained a post-graduate degree in Computer Engineering from Clemson University, South Carolina, USA.
- That I hold a doctorate degree (PhD) in electrical engineering from Columbia University, New York, USA.
- That I have done work for clients, including, Canara Bank, G E Health and MTN, a multi-national South African mobile phone company.
- That I am aware that the Government of India is implementing “UID / Aadhaar” based authentication for various government services and that private entities may also use the UID / “Aadhaar” database for identifying individuals.
- That I am aware that there are petitions before the Hon’ble Supreme Court of India challenging the said UID/ Aadhaar project on various ground, inter alia, that the said project poses a constitutionally impermissible danger to citizens’ basic civil liberties including their privacy and I hereby allow this affidavit to be placed by one or more of the petitioners in support of their challenge on the said grounds to the said project.
- That as someone with fairly extensive experience of cyber security, I can categorically state that this project is highly imprudent, as it throws open the clear possibility of compromising basic privacy by facilitating real-time and non-real-time surveillance of UID holders by the UID authority and other actors that may gain access to the authentication records held with the said authority or authentication data traffic as the case may be.
- That I state that I have perused the documents that UIDAI have put out in relation to the design of the Aadhaar authentication system, and I can categorically state that it is quite easy to know the location and type of transaction every time such authentication takes place using a scanner for fingerprints or iris and the records of these in the UID / “Aadhaar” database.
- I state that it is not dissimilar to knowing the place from where a person made a call using his / her mobile phone. Just as the mobile phone connects to a tower from where the phone signals are sent to other towers and the servers of the mobile phone companies, biometric scanners also have SIMs and IP Addresses to locate the place from the transaction took place and its nature. Any administrator of the UIDAI server or any employee or other person with access to transaction data, with a little help from the servers (Authentication User Agents and Authentication Server Agents, as they are called in UIDAI literature), through which authentication request is sent to the UIDAI, will be able to track the transaction and the person carrying out the same. Further, I also point out that UIDAI recommends that each point of service device i.e. the device from which an authentication request emanates, register itself with the UIDAI and acquire for itself a unique device id, which shall then be passed to the UIDAI along with the request for every authentication transaction. I state herein that the said method of uniquely identifying every device and being able to map every authentication transaction to be emanating from a unique registered device, further makes the task of tracking down the exact location and place from which an authentication request emanates easier.
- I further state that there are technical tools that are available that make it easy and possible to track the electronic path that authentication requests from any given authentication device to the Central Identification Data Repository take as part of their authentication transaction.
- I further wish to point out that today, it is well known that no security is perfect. The idea is to design a system wherein in case of a breach, the damage is minimal and backups are available. Hence, passwords should be changeable. Biometrics as a password is problematic in that it cannot be changed if stolen / lost / hacked.
- That secondly, a centralized database has the problem that once hacked all data can be lost. Specifically, consider if the Army personnel use this as an authentication mechanism before getting their salaries. The location from which they authenticate can be found as it will be done via a scanner which has an IP address / is on a mobile internet. From the tower to which the scanner connects via its SIM card, its location can be found. This data will be available in the logs of the Aadhaar system. Any compromise of the Aadhaar system means that the hackers can know the exact location of each army personnel of the country at the time when they take their salary. This can be a big risk to national security, and this is just one example as to why it is, in my opinion, imprudent to use such a system.
I, the deponent above-named, hereby solemnly declare and affirm that the contents of this affidavit in paragraphs 1 through 13 are all true and correct to the best of my knowledge and nothing material is concealed therefrom.
Verified on __ day of April 2016.