by sflc_admin    |    October 7, 2016

SFLC.in, in collaboration with iSPIRT (Indian Software Product Industry Round Table) organized a discussion on September 5, 2016 at the India International Centre, New Delhi, where we aimed to delve deeper into the technological components of the Aadhaar project and the legal and policy challenges surrounding them. This discussion was an effort to bring diverse views on the technical sufficiency, capability, and security of Aadhaar into one forum and conduct a dialogue that will provide the relevant knowledge to stakeholders to discuss the scheme and its interconnected elements of law, technology, and policy.

The discussion was attended by around 33 stakeholders from the industry, civil society, academia, and media communities, and was divided into two sessions: first, a presentation on the technology powering Aadhaar, followed by a roundtable discussion on the legal and policy aspects of the project that would begin with a critical evaluation of Aadhaar’s security framework. The event was held under the Chatham House Rule to facilitate an open discussion, which means the substantive points detailed below reflect the views of the participants, though no specific attributions will be made.

Over the course of the first session, the following points emerged:

• Large population, low income, migrant laborers, frequent leakages in subsidies, lack of identity proofs, were all highlighted as factors that led to the project’s conceptualization.

• Aadhaar was envisaged as a means to identify residents even in their physical absence, and biometric/demographic information is collected for this purpose.

• The following broad principles underscore the Aadhaar project – collection of minimal infomration; privacy safeguards; inclusiveness; zero knowledge of reasons behind authentication; enablement of innovation.

• Aadhaar works on a federated model i.e. it does not link out, rather, people link in.

• State Governments are expected to rely on Aadhaar the most, as PDS and other subsidies are state administered at the ground level.

• All outsourced functionaries in the Aadhaar chain must mandatorily be trained and registered with the UIDAI.

• There are 3 vendors of biometric systems for the project (LI, Accenture, Morpho at first, Morpho acquired by LI, one additional vendor at a later stage); all STQC certified; this is in keeping with Aadhaar’s vendor neutrality i.e. no one exclusive vendor for any service.

• Each vendor maintains 3 databases i.e. archival, biometric de-duplication, and authentication; network firewalls prevent outbound connections from all databases; remote access is similarly disabled

• Field tests are conducted for biometric systems vendors, false positives being grounds for disqualification; false reject rates were to be less than 2% for fingerprint readers, less than 1% for iris scanners, but these numbers may have changed since 2012.

• Aadhaar data is always end-to-end enccrypted (2048-bit PKI) – never stored in unecrypted formats at enrollment centres; the data is only decrypted at CIDR, and is transferred to UIDAI over HTTPS through registrar systems

• Aadhaar has two data centres – one each in Delhi and Bangalore; each has 10 servers capable of 100 million transactions per day; users are informed via email and SMS whenever an authentication takes place – successful or failed

This presentation was followed by a roundtable discussion on the legal and policy aspects of Aadhaar, which began by highlighting three main concerns around the project: identification of individuals without consent using the Aadhaar number, identification and authentication without consent using demographic/biometric data; surveillance either through external hacks or internal leaks/collusion. It was said that privacy protection does not prevent collection of data, but asks for provable guarantees against unauthorized use, and the following requirements must be met to ensure privacy and security within Aadhaar: no correlation of identities across application domains; authentication/identification must not be possible without user participation; no manual inspection of authentication records, audit trails; tamper proof record of all authorization chains/audit trails; defensive design that does not assume trust towards UIDAI, enrolment agencies/devices and AUAs. It was observed that while Aadhaar looks strong against external attacks, insider attacks/leaks is still a possibility. Furthermore, sll symmetric and private keys and hashes are stored within UIDAI, and there is no well defined approval procedure for data inspection. There is no audit/certification of codes and programs, leaving the framework open for abuse. As a result, Aadhaar’s technology framework was said to be far from fool-proof despite its incorporation of strong encryption and other security protocols, and remained specially vulnerable to abuse from within the system itself. To remedy these shortcomings, the institution of an independent third party auditor under an appropriate legal framework was recommended.

A number of interjections were made by the participants during the presentations, a notable few of which were:

• A question was asked about the issuance of duplicate Aadhaar cards bearing different numbers, which was initially dismissed as highly unlikely. However, as a participant claimed to personally know someone with multiple cards, it was said that duplication was after all a possibility, albeit a remote one.

• A question was asked about the patents involved in the Aadhaar biometric systems, which was answered by stating that the sole patent in this regard was held against the iris scanners, but this too expired in 2010.

• It was pointed out that there were reports of at least one suicide resulting from non-provision of an Aadhaar card, which was necessary to avail benefits. This led to a conversation on the mandatory nature of Aadhaar and how Aadhaar officials, by making Aadhaar cards pre-requisites for availing a wide array of services and benefits, were flouting the Supreme Court order from October 2015 that prevented Aadhaar from being made mandatory except under a few limited circumstances.

• The potential use of Aadhaar as a mass surveillance tool was discussed at length. Its vast reserve of residents’ biometric and demographic data and continuous logging of authentication instances, coupled with the possibility for discreet access of the database by law enforcement agencies were all highlighted as pressing concerns in this regard.

Aadhaar operates with the collection, sharing, and storage of biometric as well as demographic information of individuals. With its mass enrollment, it is being planned and aimed as a means for enabling a larger digital ecosystem to make the shift to a data centric business model. Considering this ambitious goal, it was pertinent to understand the functioning of the underlying machinery of this system, so as to better equip stakeholders for effective public dialogues around the issue. This discussion was meant to be a platform to build such an understanding, while at the same time remaining mindful of the fact that an exhaustive and nuanced understanding of the inner-workings of Aadhaar would be difficult to gather from a two-hour discussion. While the discussion did provide greater clarity about certain aspects of the technology powering Aadhaar, it was also made clear that the underlying principle-based conflicts that drive much of the public opposition to Aadhaar’s implementation are irreconcilable on several crucial counts. The need of the hour then is an open and sustained dialogue between the general public and the Government to contemplate the way forward with this highly controversial project.

Aadhaar   Privacy   roundtable   Security