The UIDAI has introduced two measures to strengthen the security of Aadhaar: a 16-digit virtual ID (VID) in place of Aadhaar number for authentication, and a ‘limited KYC’ feature in which agencies (other than those provided by the law) will receive a VID and not Aadhaar number of the user.
The move came after yet another expose of an unauthorised access to Aadhaar database in which demographic data of Aadhaar card holders were being sold on WhatsApp, as reported by The Tribune. Although a huge number of Aadhaar numbers have already been seeded with different databases, the virtual IDs, if applied carefully, will contain the damage. The VID is a kind of masking of the sensitive Aadhaar info. This solution, also called ‘tokenisation’, was discussed by three faculty members of the computer science department of IIT Delhi in a paper in the Economic and Political Weekly in September 2017. In an email interaction with Pratap Vikram Singh, Subodh Sharma, speaking on behalf of the trio of authors also including Shweta Agrawal and Subhashis Banerjee, talks about the effectiveness of virtual IDs, the key technological changes and safeguards necessary for secured use of Aadhaar. Edited excerpts:
Some experts call virtual ID and minimum KYC measures of the UIDAI as a ‘too little too late’ response.
The concept of virtual IDs, in our opinion, is a good idea. While it is hard to quantify statements such as “too little”, we feel that the other measures such as minimum KYC are necessary. Whether the measure is “too late” will depend on how effective and simple UIDAI’s migration plan is to replace the old Aadhaar numbers that have already been linked with the new virtual ones. The process can be problematic for the poor and the underprivileged if the migration is not executed with extreme care.
What are the fundamental technological weaknesses in Aadhaar system?
No public report is available presenting facts on the efficacy of biometric false ‘accept’ and false ‘reject’ rates; ditto for biometric deduplication.
In our opinion, it appears that the use cases for service delivery using Aadhaar are inadequately analysed (so it appears from the PDS exclusion reports).
Insofar as privacy and security are concerned:
(1) As we discuss in our paper, the model of using biometrics as a password (single factor) for authentication and authorisation is conceptually flawed. Biometrics should only be used for identity verification, that too under adversarial oversight.
(2) Using a single identifier (Aadhaar number) for all applications can create a vulnerability to orchestrate correlation attacks. This attack can possibly (if done well) be mitigated by virtual ids.
(3) The access control architecture appears vague. No clear and crisply defined online protocol for how data can be accessed and under what authorisation, how is it to be checked, and tamper-proof recording of access and authorisation trails and online audit. Hence, vulnerability to insider attacks.
(4) It appears that the peripheral services such as web-pages and mobile apps (m-Aadhaar) are poorly structured and poorly audited.
How does Aadhaar as a single digital identifier make individuals vulnerable? What is the solution you propose?
The digital identifier can be used to join databases, and mine personal information across multiple domains to profile individuals. Aadhaar is not the only global digital identifier with this vulnerability, mobile numbers and PAN also are. In fact, well before Aadhaar, the Indian private enterprises have started using mobile numbers as a unique id. Most databases, be it with banks and insurance, income tax, mutual funds, airlines, railways, hospitals and even small shops, have personal digital records indexed by mobile numbers. So, perhaps, mobile numbers require virtualisation more than Aadhaar does. Virtual ids, for all such unique identifiers, can be a solution. All you need is that if somebody, say an airline, calls your virtual mobile number, the real one should ring. Only a central authority needs to know the mapping. Ditto with Aadhaar.
Can you explain in plain language how cryptographically embedding Aadhaar ID into AUA-specific IDs makes the system safer from privacy and data protection perspective? Can you explain why it is needed and how it can be resolved?
In the current proposal there is no mention of cryptographic embedding. UIDAI will securely (hopefully) maintain a mapping between the global id and the various virtual ids. This way, if there is a need to join databases, say for some legitimate data analytics, then the UIDAI will have to facilitate it (there will have to be a mechanism for doing that). An alternative would have been to cryptographically hide the global id in the virtual ids, so that authorised entities with valid keys could link the virtual ids themselves (but still not be able to reconstruct the global id). That would have been another way to do the virtual ids.
In your paper you point at the need for demarcation between identity verification and authentication. Giving an example of Aadhaar-enabled service delivery, can you explain the importance of their separation?
Ideally identity verification should happen at the service provider’s premise, where there is a genuine interest in verifying the identity and the service provider will not collude with the person whose identity is being verified (adversarial oversight necessary to ensure that the person does not present a false plastic finger with somebody else’s fingerprint embedded on it). Consider, for example, a bank. The bank should produce an authentic biometric device, the person’s biometrics should be encrypted by the device and sent to UIDAI for verification along with her virtual id, and both the bank and the person should receive independent acknowledgements, directly from the UIDAI, about the outcome of the verification. That would be a correct identity verification protocol. This should only be done once in a while.
An example of an incorrect protocol is: A person walks up to a mobile telephone service provider’s officer to procure a SIM card, she gives her fingerprints to a device; the operator tells her that the verification has failed and asks her to put her fingers on the device again, she receives no communication from UIDAI, the operator issues a SIM in her name and sells it to somebody else. In effect she would have signed a blank paper authorising the agent to issue a SIM in her name! Ditto with withdrawal of money, PDS, etc.
Can you explain the possibility of insider leak of information from within UIDAI? How can it be addressed?
Consider the following scenario: some powerful entity can suddenly decide that SSS [the authors, Shweta, Shubhshis and Subodh] are bad people and influence insiders in UIDAI to access our personal data illegally without warrants, or put a tab on us. One or more insiders may use their privileged access rights illegally. Most attacks on protected databases happen through insiders – remember Snowden! Insider leaks are not only a concern with UIDAI but also with other bureaucracies like airlines and banks.
The only way to ensure against insider leaks is to have strict access control protocols in place to make unauthorised accesses, even by insiders, impossible.
Aadhaar is often criticised for a possibility of its use as a surveillance tool. Do you agree?
[It] can certainly become one without checks and balances. But the criticism is perhaps too broad and vague.
On one hand, there are claims about Aadhaar leading to huge savings which run in several thousand crore rupees. On the other, it is criticised for violation of privacy and exclusion in service delivery. Does the benefit outweigh the risk?
We cannot comment on the “savings” – there’ve been many loose statements on this already and we will not add to the noise. Risks can be mitigated with a proper design, and intuitively a unique verifiable identity appears to be a very useful tool for governance. The real benefit may come in digitisation of health records and in data analytics – econometrics, epidemiology, etc.
What are the other reforms and redressals required to strengthen the unique digital identity system?
Careful analysis of the use cases and taking special care not to cause exclusion or distress. Keep in mind the huge deficit of cultural capital in the country.
pratap@governancenow.com
(The interview appears in the January 31, 2018 issue)
