Skip to main content

The Aadhaar Card: Cybersecurity Issues with India’s Biometric Experiment

May 9, 2019

Author:

Mardav Jain

India was one of the fastest growing economies in the world in 2018, behind only Ghana and Ethiopia.[1] Despite this huge growth potential, a significant portion of India’s 1.1 billion residents still live below or close to the poverty line, a problem that is only expected to exacerbate—according to the UN, India will overtake China in terms of total population by as soon as 2024.[2] Most of India’s poor are thus reliant on government subsidies for their daily survival. India’s Public Distribution System (PDS) which constitutes 1% of total GDP of the country, provides food to the poor via Fair Price Shops and other government schemes.[3] However, the whole system was under tremendous pressure and process of obtaining and delivering these subsidies, was riddled with fraud, existence of black markets and exhausting bureaucracy.

To combat a plethora of these logistical issues, Aadhaar was created in 2009. It was developed as a tool to standardize the process of data collection and ease the dispersal of money from government schemes to the citizens of the country, especially the poor. Aadhaar is 12-digit unique-identity number that is issued to all Indian residents, and the process of obtaining the ‘Aadhaar Card’ involves collection of citizens’ fingerprints, retina scans as well as their face photos.[4] It is one of the biggest biometric databases on the planet with around 1.2 billion enrollments, covering around 89% of India’s population.[5]

While Aadhaar has the potential to digitize much of India’s cumbersome bureaucracy, the project is not without its shortcomings—(1) its overreaching influence and myriad data leaks pose a massive threat to the privacy of the citizens of India, (2) its use as a substitute for official Photo-ID has introduced new vulnerabilities into the system, and (3) the use of the data for AI software development is on shaky ethical grounds. All of these issues exacerbate one another and have the potential to turn the Aadhaar system into an oppressive surveillance tool for the state.

Background

Aadhaar was first formulated as an idea in 2009 under the then ruling United Progressive Alliance (UPA). Unique Identification Authority of India (UIDIA) was the main authority responsible for the Aadhaar system and this agency was set up as an extension of the Planning Commission of India (an important government-funded policy think tank).[6] The project was headed by Nandan Nilekani, the co-founder of one of India’s premier IT firms, Infosys and was designed to simplify the bureaucratic nature of government schemes in India.

Before the creation and advent of Aadhaar, availing the benefits of government programs was very hard and taxing for the poor. It involved filing a lot of complicated paperwork, providing several proofs of residence and identification and also required people to take time off work to complete these requirements. Aadhaar has since then replaced most requirements for identification proof and is usually the only document required to avail a government scheme.[7]

The Aadhaar card is now linked with services such as driving license, school scholarships, cooking gas subsidies, passports, pensions and provident fund accounts.[8] The Aadhaar card is also being considered for provision of the services provided by Indian Railway System, especially the online reservation process.[9] The Developmental Cooperative Bank even launched its first Aadhaar based ATM in June 2016 and aims to utilize the biometric fingerprint as an additional security feature in customers accessing their money.[10]

Major Concerns

Aadhaar’s importance cannot be understated—it contains the data of billions of people, and the security of this data and the system itself is an incredibly important point of political contention. Complicating the issue is that fact that ever since its inception, Aadhaar has been plagued by a myriad of internal and legal problems, as well as major leaks and vulnerabilities in the overall security of the system.

Internal Problems and Leaks

One of the major criticisms of Aadhaar has been the numerous major security lapses that have been omnipresent in the workings of Aadhaar and which have as a result made the system prone to data leaks. UIDIA has had to regularly shut down fraudulent websites that keep popping up, disguising themselves as official websites, and phishing people for their personal information.[11] In 2018 around 200 official government websites accidentally made personal Aadhaar data public; the problem exacerbated to such a level, that one could access thousands of government databases with confidential information simply by Googling it.[12] The Indian Government had to resort to blocking around 5,000 officials because Aadhaar data was being accessed by unauthorized personnel working for the government.[13]

The Tribune also reported that its journalists were able to track down an anonymous group on WhatsApp that was selling Aadhaar card details for a meagre Rs 500 ($7.2 US). Once the payment was made, the journalists received the Login ID and Username to a portal where all the information under the Aadhaar number of that individual could be accessed easily.[14] Before this vulnerability in the system was fixed, the Tribune estimated that over 100,000 people had accessed sensitive Aadhaar information illegally.[15]

A Jharkhand state website accidentally released the data of 1.6 million pension beneficiaries, including their addresses and bank account details.[16] The Center for Internet and Society also reported that about 130 million Aadhaar numbers and other related confidential data had accidentally been made public.[17] Although it was argued that this wasn’t an actual leak, and was instead just a misstep on part of the government, the event points to a larger trend of the Indian government being extremely careless with the data of its citizens and being apathetic to repercussions of their actions, most of which are borne by everyday citizens.

Vulnerability as a substitute for Photo-ID

Due to government’s aggressive push to link Aadhaar with all basic services, Aadhar is now India’s most popular photo identification document – a designation has created a host of other problems. Aadhaar was not meant to directly replace other forms of ID, it was meant to be used for biometric authentication wherein a person’s fingerprint or iris scan is matched with their Aadhaar number against a central database.[18] When it is used simply as a photo-ID, it becomes more vulnerable to being duplicated or faked because it lacks any traditional security features that are present in other photo-IDs such a microchip, hologram, or an official seal.

Aadhaar’s security vulnerabilities were on full public display when RS Sharma, chairman of India’s telecom regulator and the first director general of the UIDAI, tweeted his Aadhaar number out to the general public, as a test of his confidence in the system. Not only were people able to find out his personal information via his Aadhaar number, one individual even managed to create a fake Aadhar card which was accepted as genuine by Amazon and Facebook ad services and was used to initiate services under Sharma’s name. The problem is exacerbated due to the fact that most private and public entities now ask for photocopies of Aadhaar as valid identity proofs which are then stored on unprotected networks, worsening the potential for abuse of this information.[19]

Legal Problems and Privacy Issues

The Aadhaar project initially continued without any real legislative backing and was delayed in its full implementation due to political polarization and opposition from the minority parties. The first legal trouble started in 2012 when oil companies lobbied to have the UPA make it mandatory for beneficiaries of gas subsidies to link their bank accounts to Aadhaar. The case went to the Supreme Court (SC) of India, which struck down the mandatory provision in 2013 and declared that the lack of an Aadhaar card was not grounds to deprive anyone of any service.[20]

The UPA Government fell in 2014 and was replaced by the Modi led National Democratic Alliance (NDA). The Aadhaar system gained new vigor under the NDA and a bill titled ‘Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016’ was finally passed in the Lok Sabha (the lower house of the Indian Parliament) in March 2016.[21] This provided legislative backing to this biometric database project and increased the legitimacy of Aadhaar. Immediately after the passage of the bill, the NDA started to aggressively push for mandatory linkage of Aadhaar to services such as crop insurance, IT returns, getting a new SIM, vehicle registrations, and even death certificates.[22]

The main issue between the NDA and the critics of the Aadhaar system was one of privacy. Aadhaar suffers from a myriad of security issues and the system has repeatedly proven to be vulnerable to both internal leaks and external abuse of the data. The NDA had argued that the right to privacy was not a fundamental right but was proven wrong by the SC verdict in August 2017 which guaranteed the fundamental right to privacy under the Indian Constitution.[23]

The latest development came in 2018 when the SC upheld the constitutional validity of the Aadhaar project.[24] The SC allowed the mandatory linking of Aadhaar for filing tax returns and accessing welfare schemes but removed the requirement for bank accounts and SIM cards. It also struck down section 57 of the Aadhaar Act, which allowed corporations and individuals to ask for Aadhaar in exchange for goods and services.[25] The court also demanded that the Central Government pass a strong data protection law as soon as possible.[26] Although the limited power of the private sector and the requirement to pass a strong data protection law are crucial in guaranteeing the right to privacy, the overall judgement did not go far enough in limiting government abuse of the program and of the data collected under the program.

Impact on Artificial Intelligence Research

With its growing economy, India is pouring a lot of money into Artificial Intelligence (AI) Research and is emerging as a leader in the field. According to Scimago, between 2013-2017 India between produced a total of 12,135 peer-reviewed research documents on AI, trailing behind only China and the US.[27] AI is extremely important to the growth of the country and the economy and would add huge benefits to healthcare, financial services, monsoon forecasting, retail, and the education industry. It was reported in a paper released by the National Institution for Transforming India (NITI Ayog)—the very think tank that came up with the idea of Aadhaar—that the country could add $1 trillion through integrating AI into its economy.[28]

The strength of an AI system or research is directly linked to the number and kind of data that is fed into the machine learning process. With the biometric data of more than a billion people, the Aadhaar system has the potential to revolutionize the pace and growth of AI research in India. Aadhaar’s data pool isn’t just limited to the system itself, the government has essentially mandated the linking of Aadhaar to other individual information as well. Aadhaar is now the standard identity proof document and is required for accessing a lot of public services such as opening a bank account and getting a new SIM card.[29]

The government of India thus has access to the data of nearly of all its citizens. They can track activities of suspicious individuals through their Aadhaar number which will connect them to other services that they use. It is highly likely that the government will push for AI programs that will scan citizens activities and their patterns to automatically flag certain individuals as dangerous or suspicious. While this may help with crime and controlling terrorism, it has the potential to turn India into an oppressive surveillance state.

Police officers in Punjab are already using the Punjab Artificial Intelligence System (PAIS)— an artificial-intelligence assisted face-recognition algorithm—to catch criminals.[30] They hope to tremendously increase the accuracy and strength of this AI by linking it with Aadhaar data.[31] A government funded program called the Crime and Criminal Tracking Network & Systems (CCTNS) is also creating a biometric database of criminals nationwide and the program wants to integrate with the Aadhaar database so as to better identify criminals.[32] The Union Cabinet wants to even create a national DNA database which would further infringe upon the citizen’s rights and has a great potential for abuse.[33]

Implications

Aadhaar is a perfect example of a well-intentioned government scheme gone awry. It started as a novel idea to reduce bureaucracy and fraud but is now threatening the individual privacy of all its users and limiting the constitutional rights of Indian citizens.

ID documents hold tremendous power over a person’s mobility, their ability to work, to access basic services, and effects their identity as a full citizen. The government, in using all its powers to mandate the linkage of Aadhaar, is ignoring the consequences for the most vulnerable—those who are unable to participate in the program.

Furthermore, its plethora of security issues has left the biometric data of billions of people vulnerable to external and internal abuse. Aadhaar has also given the government unjust powers to surveil its citizens and deny them their fundamental rights. The association and potential of Aadhaar contributing to state-controlled machine learning programs will also undermine democratic principles. The Modi led NDA is using Aadhaar as another creative way to expand the powers of the government, even if it means eroding the fundamental rights guaranteed in the constitution.

Endnotes

[1] The Top 10 Fastest Growing Economies in 2018, 2018, Atlas.

[2] India’s Population to Surpass That of China around 2024: UN – Times of India, The Times of India.

[3] Vikas Bajaj, 2012, A Failed Food System in India Prompts an Intense Review, The New York Times.

[4] Varun HK, Aadhaar: A History of the Controversy, Deccan Herald.

[5] Aadhaar Now World’s Largest Biometric Database: 5 Facts from UIDAI CEO’s Presentation in Supreme Court You Must Know, The Financial Express, 2018.

[6] About UIDAI, Unique Identification Authority of India, Government of India.

[7] Raja Siddharth Raju et al, Aadhaar Card: Challenges and Impact on Digital Transformation, 2.

[8] Raja Siddharth Raju et al, Aadhaar Card: Challenges and Impact on Digital Transformation, 3.

[9] Ibid.

[10] Raja Siddharth Raju et al, Aadhaar Card: Challenges and Impact on Digital Transformation, 4.

[11] Aadhaar Security Breaches: Here Are the Major Untoward Incidents That Have Happened with Aadhaar and What Was Actually Affected, Tech2.

[12] Ibid.

[13] Aadhaar Security Breaches: Here Are the Major Untoward Incidents That Have Happened with Aadhaar and What Was Actually Affected, Tech2.

[14] Aadhaar Database Access Found to Be Sold on WhatsApp for Rs 500; UIDAI Official Acknowledges Major Data Breach- Technology News, Tech2.

[15] UIDAI Blocks 5,000 Officials from Aadhaar Portal Following Reports of Unauthorised Usage- Technology News, Firstpost, Tech2.

[16] Aadhaar Details of about 1.6 Million Residents Leak in Jharkhand, Tech2.

[17] 130 Mn Aadhaar Numbers Were Not Leaked, They Were Treated as Publicly Shareable Data, Tech2.

[18] Aria Thaker, Aadhaar’s Most Common Use Is Also One of Its Most Dangerous Problems, Quartz India.

[19] Ibid.

[20] Varun HK, Aadhaar: A History of the Controversy, Deccan Herald.

[21] Lok Sabha Clears Aadhaar Bill, The Hindu.

[22] Varun HK, Aadhaar: A History of the Controversy, Deccan Herald.

[23] Supreme Court Verdict on Right to Privacy, The Hindu.

[24] Initial Analysis of Indian Supreme Court Decision on Aadhaar, Privacy International.

[25] Ananya Bhattacharya Anand, Aadhaar Is Voluntary—but Millions of Indians Are Already Trapped, Quartz India.

[26] Initial Analysis of Indian Supreme Court Decision on Aadhaar, Privacy International.

[27] Jacob Koshy, India Ranks Third in Research on Artificial Intelligence, The Hindu.

[28] Ibid.

[29] Anirudh VK, How Aadhaar Can Be Used To Train A Surveillance AI For India, Analytics India Magazine

[30] Gopal Sathe, Cops In India Are Using Artificial Intelligence That Can Identify You In a Crowd, HuffPost India.

[31] Gopal Sathe, Cops In India Are Using Artificial Intelligence That Can Identify You In a Crowd, HuffPost India.

[32] Cabinet Approves Extension of Implementation of Crime and Criminal Tracking Network and Systems Project by One Year, Cabinet Committee on Economic Affairs, Government of India.

[33] Gopal Sathe, Cops In India Are Using Artificial Intelligence That Can Identify You In a Crowd, HuffPost India.

References

“130 Mn Aadhaar Numbers Were Not Leaked, They Were Treated as Publicly Shareable Data: CIS- Technology News, Firstpost.” n.d. Tech2. Accessed March 7, 2019. https://www.firstpost.com/tech/news-analysis/130-mn-aadhaar-numbers-were-not-leaked-they-were-treated-as-publicly-shareable-data-cis-3702187.html.

“Aadhaar Database Access Found to Be Sold on WhatsApp for Rs 500; UIDAI Official Acknowledges Major Data Breach- Technology News, Firstpost.” 12:08:11 +05:30. Tech2. 12:08:11 +05:30. https://www.firstpost.com/tech/news-analysis/aadhaar-database-access-found-to-be-sold-on-whatsapp-for-rs-500-uidai-official-acknowledges-major-data-breach-4286427.html.

“Aadhaar Details of about 1.6 Million Residents Leak in Jharkand- Technology News, Firstpost.” n.d. Tech2. Accessed March 7, 2019. https://www.firstpost.com/tech/news-analysis/aadhaar-details-of-about-1-6-million-residents-leak-in-jharkand-3701559.html.

“Aadhaar Now World’s Largest Biometric Database: 5 Facts from UIDAI CEO’s Presentation in Supreme Court You Must Know.” The Financial Express (blog), March 23, 2018. https://www.financialexpress.com/aadhar-card/aadhaar-now-worlds-largest-biometric-database-5-facts-from-uidai-ceos-presentation-in-supreme-court-you-must-know/1108622/.

“Aadhaar Security Breaches: Here Are the Major Untoward Incidents That Have Happened with Aadhaar and What Was Actually Affected- Technology News, Firstpost.” n.d. Tech2. Accessed March 7, 2019. https://www.firstpost.com/tech/news-analysis/aadhaar-security-breaches-here-are-the-major-untoward-incidents-that-have-happened-with-aadhaar-and-what-was-actually-affected-4300349.html.

“About UIDAI.” Unique Identification Authority of India | Government of India. Accessed February 25, 2019. https://uidai.gov.in/about-uidai.html.

“Cabinet Approves Extension of Implementation of Crime and Criminal Tracking Network and Systems Project by One Year.” n.d. Cabinet Committee on Economic Affairs, Government of India. Accessed March 11, 2019. http://pib.nic.in/newsite/PrintRelease.aspx?relid=160547.

Anand, Ananya Bhattacharya, Nupur. n.d. “Aadhaar Is Voluntary—but Millions of Indians Are Already Trapped.” Quartz India. Accessed March 28, 2019. https://qz.com/india/1351263/supreme-court-verdict-how-indias-aadhaar-id-became-mandatory/.

Bajaj, Vikas. 2012. “A Failed Food System in India Prompts an Intense Review – The New York Times.” The New York Times. June 7, 2012. https://www.nytimes.com/2012/06/08/business/global/a-failed-food-system-in-india-prompts-an-intense-review.html?_r=1&smid=FB-nytimes&WT.mc_id=BU-E-FB-SM-LIN-AGP-060812-NYT-NA&WT.mc_ev=click.

HK, Varun. 2018. “Aadhaar: A History of the Controversy.” Deccan Herald. September 20, 2018. https://www.deccanherald.com/national/aadhaar-act-verdict-history-693614.html.

“India’s Population to Surpass That of China around 2024: UN – Times of India.” n.d. The Times of India. Accessed March 27, 2019. https://timesofindia.indiatimes.com/india/indias-population-to-surpass-that-of-chinas-around-2024-un/articleshow/59257045.cms.

“Initial Analysis of Indian Supreme Court Decision on Aadhaar.” n.d. Privacy International. Accessed March 28, 2019. http://privacyinternational.org/feature/2299/initial-analysis-indian-supreme-court-decision-aadhaar.

Koshy, Jacob. 2019. “India Ranks Third in Research on Artificial Intelligence.” The Hindu, January 18, 2019, sec. Science. https://www.thehindu.com/sci-tech/science/india-ranks-third-in-research-on-artificial-intelligence/article26030596.ece.

“Lok Sabha Clears Aadhaar Bill.” The Hindu. March 11, 2016, sec. National. https://www.thehindu.com/news/national/Lok-Sabha-clears-Aadhaar-Bill/article14150001.ece.

Raju, Raja Siddharth, Sukhdev Singh, and Kiran Khatter. “Aadhaar Card: Challenges and Impact on Digital Transformation,” n.d., 20.

Sathe, Gopal. 2018. “Cops In India Are Using Artificial Intelligence That Can Identify You In a Crowd.” HuffPost India. August 16, 2018. https://www.huffingtonpost.in/2018/08/15/facial-recognition-ai-is-shaking-up-criminals-in-punjab-but-should-you-worry-too_a_23502796/.

“Supreme Court Verdict on Right to Privacy,” The Hindu. August 24, 2017, sec. Resources. https://www.thehindu.com/news/resources/supreme-court-verdict-on-right-to-privacy/article19551827.ece.

Thaker, Aria. n.d. “Aadhaar’s Most Common Use Is Also One of Its Most Dangerous Problems.” Quartz India. Accessed March 27, 2019. https://qz.com/india/1399518/whatever-indias-supreme-court-says-aadhaar-was-never-a-photo-id/.

“The Top 10 Fastest Growing Economies in 2018.” 2018. Atlas. January 10, 2018. http://www.theatlas.com/charts/BJOKD67VG.

“UIDAI Blocks 5,000 Officials from Aadhaar Portal Following Reports of Unauthorised Usage- Technology News, Firstpost.” 12:10:06 +05:30. Tech2. 12:10:06 +05:30. https://www.firstpost.com/tech/news-analysis/uidai-blocks-5000-officials-from-aadhar-portal-following-reports-of-unauthorised-usage-4294143.html.

VK, Anirudh. “How Aadhaar Can Be Used To Train A Surveillance AI For India.” Analytics India Magazine (blog), January 21, 2019. https://www.analyticsindiamag.com/how-aadhaars-database-can-be-used-to-train-a-surveillance-ai-for-the-indian-government/.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.