On 28 July, newspapers reported that UIDAI, the state-owned agency that manages India’s unique identity project, Aadhaar, had filed a police complaint against Qarth Technologies, a company that was acquired in 2016 by Ola, India’s largest ride-sharing platform.
UIDAI accused Qarth’s founders of illegally accessing the Aadhaar data for all of 2017. And yet strangely, UIDAI also maintained that “there has been no breach, no leakage and no theft of data.”
The victimless crime wasn’t the first, and it won’t be the last. Because Aadhaar’s privacy and security goals are in conflict with its commerce and identity ambitions.
At the simplest level, Aadhaar as a unique 12-digit number solves the ID problem for everyone in india via biometric deduplication. Basic demographic details such as name, date of birth, photograph, email address and a phone number along with iris and fingerprints are stored in a central identity data repository (CIDR), also known as the core.
At last count, over 1.15 billion Indians were enrolled under Aadhaar, including over 99% of those over the age of 18.
From the beginning, experts said that centralisation of such a big database was bad system design and would be vulnerable to attacks. By way of answer, it was protected by layers of firewalls and never exposed to the rough badlands of the public internet, where rogue hackers regularly scan every single known address for vulnerabilities and ruthlessly exploit them.
But over time, Aadhaar evolved from just an identity project to a mammoth identity platform, linking together every aspect of modern life—taxes, schools, subsidies, healthcare, banking, home ownership, telephony and even post-retirement pension.
But a locked down database is not of much use when your ambition is to be an identity platform that would take on Google and Facebook in scope. Because for the Aadhaar project to succeed it has to provide value, and value can be provided only if the data collected is shared and made available to all applications that rely on Aadhaar.
And thus, the core stayed locked down while hundreds of applications now formed the periphery, together making up the Aadhaar ecosystem. But with the core being impregnable for all practical purposes, what about the security of the periphery?
Secure core, porous periphery
Securing the Aadhaar periphery—composed of hundreds of different types of apps and services from hundreds of different entities—is much tougher than securing the Aadhaar core. And even if it were technically possible to secure them all, it would slow down the growth of the Aadhaar ecosystem.
Thus the Indian government provided a neat solution—what if a law could be passed that penalise an application at the periphery leaking data? Surely the fear of jail and loss of reputation would make application developers pay attention to data security went the thinking.
With this, the periphery was left to its own devices and everyone was convinced that the techno-legal solution (technical solution for core, legal solution for periphery) was good.
Fast-forward to the present.
The periphery started leaking data slowly at first, picked up pace soon and at last count was close to 210 government web sites. Why was the techno-legal solution not working?
Turns out the peripheral applications faced the same dilemmas on scaling usage versus securing data that UIDAI did. Additionally, with most being monopolies (most of the periphery applications are other government arms), they did not have market forces to answer to and hence were unconcerned about data security, until three months ago.
But are private entities any better?
This brings us to the case filed against the Ola-owned entity by the UIDAI for data theft. And the Reliance Jio leak before that.
Unchain of trust
We all know what credentials are. In most cases, they are just a username-password combination to access services like bank accounts, email servers or e-commerce sites.
Say you signed up a new financial advisor and she asked you for the credentials of your bank accounts. Would you share them? Obviously not.
Let’s now imagine the same financial advisor is an AI-powered software bot. So instead of sharing our credentials with it, we can now give it a token. Tokens are randomly generated credentials, which only allows view-access to a subset of your entire data. They are also revocable, meaning you can rescind a token without having to change your own credentials.
So, the bot gets a token allowing access to only your stocks and bonds portfolio, but not your entire bank account. But the bot comes back and tells you that there is another bot in the market, which can analyse your bond holdings better than itself. If you accept the suggestion, then it creates another token for the bond analysis bot, but with access only to your bond holdings within your overall portfolio.
In effect, this creates a chain of trust. You trust the financial advisor bot, which trusts the bond holdings bot and so on.
In the Aadhaar ecosystem, the same concepts are involved:
- Twenty-seven ASAs(Authentication Service Agencies) have a direct leased line connectivity to the core and approved via UIDAI.
- Three hundred and twenty five AUAs(Authentication User Agencies) who can sign up license agreements with ASAs and approved via UIDAI (They could be ASAs as well).
- Two hundred and fifty twoeKYC AUAswho need to be a AUA, for providing ‘Know Your Customer’ Services.
- Sub-AUAs who can sign up license agreements with AUAs.
The chain of trust thus looks like this:
Notice the red boxes at the end? Almost all the leaks that have been reported so far have happened there.
And most of the future ones will too.
The chain of trust model above all depends on the same tokens not being shared across every downstream entity. The AUAs and ASAs are tightly controlled, and these entities have to comply with various regulations. However, between AUAs and sub-AUAs, there is no way to enforce it, and token sharing was one of the issues behind a now infamous biometric replay attack that has been widely reported.
In the absence of either a privacy law (the government is currently arguing in the Supreme Court that privacy is not a right for Indians, and that it is more suitable for developed countries) or breach disclosure laws, it’s safe to say that instances of Aadhaar breaches will only continue to happen even as Aadhaar’s applications and use-cases continue to grow.
