Srinivas Kodali: ‘When your fingerprints as passwords are not secure, the only thing you can keep secure is your Aadhaar number’
‘In villages you need to disclose your Aadhaar’
Civil Society News, Gurugram
AN Aadhaar card has become indispensable. It has simplified a great many transactions, allowing them to happen almost instantly. But with growing usage have come concerns. Financial dealings may have become quicker but fraudsters are known to be gaming the system. Establishing one’s identity instantly with an Aadhaar number may be a boon and yet identity thefts and creaming away of biometric data is throwing up serious challenges.
Recently, the Unique Identification Authority of India (UIDAI) issued an alert against misuse of Aadhaar numbers in financial transactions. It advised people not to give out their cards except as a masked version with only the last four digits of the Aadhaar number showing.
The advisory was quickly withdrawn lest it led to panic. But it confirmed growing fears that the useful identity is not without some serious drawbacks.
To know more we spoke to Srinivas Kodali in Hyderabad. He has documented UIDAI and has been a close observer of how Aadhaar is used and gets misused.
Kodali is a champion of the democratic use of technologies and one of his criticisms of Aadhaar is that it was designed for commercial ends, keeping only the rich in mind. Its flaws weigh heavily on the poor, he tells us. It is also a challenge to democratic freedoms by allowing governments to surveil people. Linking voter identity to Aadhaar may leave out millions from voter lists.
Kodali graduated with a B.Tech in civil engineering from IIT Madras in 2013. He’s been keenly involved since his student days with open data communities. “Open software is a form of political activism for the politics that arose in the software world,” he says. “Production of software is interlinked to freedoms not only in the software realm but outside as well.”
Is Aadhaar data being misused and if so, how bad is the problem?
Aadhaar data has always been misused. There is so much documentary evidence. You go to YouTube and there are people explaining how to misuse Aadhaar, photoshop it, change it or get one made. It has been a constant problem plaguing the system since its creation.
The UIDAI has been blacklisting several operators who have been enrolling Aadhaar in bulk or without verifying people. These complaints were so bad that at one point of time, the MHA (Ministry of Home Affairs) wanted to take over the Aadhaar project.
There were fights between the UIDAI and the MHA and to settle the matter, it was decided the MHA will issue Aadhaar in the border areas and the UIDAI will issue it in the inner states. The problem for the MHA was that Aadhaar cards were being issued to non-Indians and they were able to get passports based on Aadhaar. Fraud was associated with this system from day one.
Is biometric data being compromised?
The point is, where it is being compromised. The UIDAI claims their databases are secure — which may be right or wrong, I don’t know. The fact is, you give your fingerprints at a variety of locations: when you have to get your passport, your driver’s licence or for land registration. So, if your biometrics get leaked at any of these locations it’s still a breach. Your biometrics are not secure, at large, or under your control.
If you touch a bottle, you leave your fingerprints. Anyone can extract them. The police do this all the time when they have to investigate a crime scene for forensics. The (open software) community has been telling the UIDAI that fingerprints as passwords is a very bad idea.
When your fingerprints as passwords are not secure, the only thing you can keep secure is your Aadhaar number which becomes your username. If your password gets leaked, at least someone else does not have your username. But if your username gets leaked it’s easy to get your password because your fingerprints are everywhere.
The Aadhaar number needs to always be secretive. When the initial Aadhaar Act was drawn up in 2016, it said publication of Aadhaar numbers is a bad idea. Biometrics as authentication for Aadhaar is an inherent design problem. It is leading to a lot of these problems. You can’t change your biometrics and you can’t change your Aadhaar number.
And the fact that we are using Aadhaar across the board for so many services, is that a problem?
Yes, absolutely. If you use the same username and password for your Google, Facebook, WhatsApp and email accounts and if there is one breach in one of these databases… (your data gets compromised). Which is why you are advised to not use the same password everywhere. It’s not safe security practice and the cyber security and infotech community has known this for years. People who designed the Aadhaar system never cared about this at all.
Why this fatal flaw?
There were a host of political reasons apart from economic interests to build a data economy around Aadhaar. You had national security interests — the project came right after the Mumbai terror attacks. The NPR (National Population Register) and Aadhaar were happening simultaneously as part of the 2011 Census. That is when this project took off.
There were economic interests from the Indian IT industry. You had Mr (Nandan) Nilekani pushing for a digital identity and a sort of data collection. There was the MHA which wanted to collect details of everyone in the country, including biometrics. The MHA has been collecting fingerprints of criminals for the past 200 years.
We are not really sure where fingerprints came in from, whether it was the economic interests of the IT sector or Mr Nilekani’s decision or whether it was imposed on him by the MHA. There was an initial agreement to share all the biometrics that the UIDAI collects with the MHA which the Supreme Court stopped. There were a lot of factors at play in the early stages of the project which could have led to this.
One critical issue is that people are losing their money by linking their bank accounts to Aadhaar. If Aadhaar is delinked, won’t that solve most of these problems of fraud?
There are many types of fraud with Aadhaar. The easiest is identity fraud. If I have a photocopy of your Aadhaar with your number and all details I can just replace your photo with mine and use it everywhere.
Banking fraud is happening because Aadhaar is being linked to bank accounts. We have multiple payment systems linked to Aadhaar. One is called the Aadhaar Payments Bridge (APB) System. It is used to send money from the Consolidated Fund of India account to individual accounts for DBT (Direct Benefit Transfer) subsidy. That’s its only purpose.
If your bank account number or Aadhaar number is changed in any of the subsidy linkages the money can go to different accounts instead of coming to your account. That’s one type of fraud.
The second type of fraud is when somebody withdraws money from your account. This is happening via Aadhaar-enabled payments systems which are micro ATMs. Rural India has no ATMs or banks, so to withdraw money from their accounts people need payment systems. Aadhaar was to do that. It was always linked to financial inclusion.
So, people can withdraw their money by giving their Aadhaar number and biometrics. But every time you do this, you don’t know whether you are giving your biometrics for withdrawing rations or money. It’s like using the same password and login for a host of services.
In rural India you are forced to share your Aadhaar number and biometrics. If you are a privileged person who doesn’t get subsidy and you only need to use your Aadhaar for income tax purposes, you can say no to almost everything else.
How do we avoid this? The reason all these vulnerabilities are happening is that when you link your bank account to your Aadhaar number the payment instrument becomes active. If I don’t link, then I’m safe even if someone has my Aadhaar number.
The Supreme Court clearly ordered Aadhaar was not to be linked to bank account numbers. Yet the RBI and the finance minister are forcing bank account linkages for PMLA (Prevention of Money Laundering Act) requirements. It’s as if the Supreme Court judgment never took place. The contempt towards the court and towards the people for the Aadhaar project is historic.
In the entire decade of the existence of Aadhaar, they have not followed a single rule that the courts have ordered. And that is reflected in the report of the Comptroller and Auditor General (CAG). It’s being acknowledged by a government auditor that the UIDAI is failing in so many ways.
But this is also a political issue. Aadhaar is being used to transfer subsidies to people with low incomes, whether it’s for a gas cylinder or for agriculture. It is paying political dividends. How can this transfer be made safer and more efficient?
It’s the poor who have been made vulnerable in all of this. The level of information asymmetry that exists in rural India and access to these institutions is so bad that even if people are affected, they don’t even know that money has been taken from their accounts. If they know, they don’t know what to do about it.
Yes, it’s a political problem. Politicians want to use DBT to send money to people but nobody is saying to stop this. People are only saying that you fix some of the inherent problems associated with DBT and that you don’t force this on everyone.
The question is, who is forcing it? There are multiple interests at play. You have the IT industry forcing this on richer populations because they want to acquire them as potential consumers for the financial technology industry.
For the poor it’s actually the MHA who wants to understand who the population is. This idea of preventing fraud, or preventing money laundering, is also from the terror funding angle or foreign funds angle to track how the money is flowing. They want to understand who is funding whom in a host of different scenarios.
So, it’s very unlikely that this project is going to disappear.
But how do you fix this? Is voice technology for the poor a solution? So, if you are using your Aadhaar for ration, the machine can tell you it’s being used for that purpose.
To fix the system you have to accept it has fundamental flaws. The RBI and the UIDAI have to investigate it together because it is a financial problem and because there is an identity layer linked to it. Both the institutions have never accepted that a problem exists.
The recent UIDAI advisory asked people to use masked Aadhaars. This came into existence in 2017. From 2010 to 2017 almost every Indian got an Aadhaar. After demonetization in May 2017, I wrote this report that 130 million Aadhaar numbers are publicly available and anyone can get Aadhaar numbers from the government website. The UIDAI then woke up and said there is a privacy problem with Aadhaar also because a related case was being discussed in the Supreme Court and they somehow wanted to ensure it was not shut down.
It prompted the UIDAI to find a solution for the problem of identity theft and Aadhaar numbers being made publicly available so they came up with the masked Aadhaar number concept. Nobody is using it.
UIDAI has been posting a lot of these advisories on Twitter for a long time. It just so happened that this advisory was posted as a press release and that explains the coverage it got. If you go look, they have been saying lock your biometrics, use mAadhaar, follow certain safeguards. Masked Aadhaar is the solution they are proposing. Similarly, they are saying lock your biometrics through the mAadhar app. Except, you need a smartphone to do that and much of rural India doesn’t have that.
I think implementing the Supreme Court judgment of not forcing Aadhaar-bank account linkages is a good start. And if you have done so, there should be the option to delink it.
I think they can fix the technical side of issues with respect to the banking part. The RBI can mandate an extra check, not just an Aadhaar number and biometrics. The RBI has designed these micro ATM payments and regulates all of it. The UIDAI says it doesn’t deal in money so this is not its problem. The RBI has been increasing security. There is a reason why we get OTPs for our credit cards.
But, when it comes to the Aadhaar project the RBI is silent because they too want to track the flow of money with Aadhaar numbers for PMLA requirements. This idea of national security and tracking money is making some of these institutions blind to the problems of the public.
Is there some level of regulatory chaos?
Absolutely. It’s been there since the last decade. They wake up to the problem only when there is a public outcry and then they fix it.
With respect to biometrics they are trying to improve devices and make some changes at the ABL level but none of them will fix the information asymmetry problems which exist when you give your biometric details and Aadhaar number.
Why and how this data will be used is something they are not telling us. The Supreme Court, in the right to privacy case, said there should be purpose limitation, a law, and you clearly need to say why this is being collected. There is no law for the Aadhaar bank account linkage either. They are doing it as part of the PMLA rules.
This still leaves out rural India?
There is a real problem in rural India. There is no access to banking systems and without that you aren’t going to solve your poverty challenges. The banks are not interested in building banks and hiring people. The IT industry is saying we have a solution — apps are the only way. Which is not wrong, frankly. The problem is that you are forcing a broken solution.
A lot of people are using UPI where there are no banks. Great. The problem is that they are forcing Aadhaar even when an individual has access to UPI. That is where the problem is coming from — why are you forcing a particular instrument and why are you not looking at the fraud associated with it.
If you were to look at the gains and the problems and weigh all this up, what would your opinion be on Aadhaar?
As a critic I will say that the problems have been more. The question is, for whom? Not for the rich. They are happy with it. But for a middle class person or a poor person, it’s a different story. As someone who has looked at this very closely, I think Aadhaar has been a disaster for Indian democracy. Not because of financial fraud or anything. You haven’t as yet seen the effects of Aadhaar in all the debates around NRC and the push towards linking it with voting.
Telangana is the most digitized state in the country. All this digital ecosystem has created is a largescale surveillance mechanism more than any other state in India. There are advantages of a digitized society but there are also disadvantages.
In India, traditionally Indian capital has dictated policies and laws. Except that it’s not about business anymore. It’s about how Indian democracy or governance happens. I would look at Aadhaar from a governance perspective because it was a governance instrument. That’s not how Mr Nilekani looked at it. He designed it as an economic instrument.