After recent reports have pointed out the security flaws in Aadhaar’s enrolment software, the Free Software Movement of India (FSMI) has written a letter to the CEO of UIDAI demanding to know what steps have been taken to plug these security holes.

The Enrollment Client Management Platform (ECMP) is the software used for Aadhaar enrollment by e-KYC agents across the country. To avoid problems of Internet connectivity during the enrolment process, the software performs its functions offline and is available for download on government websites. However, because it can be downloaded and its structure analysed, the software is a lot more vulnerable to security breaches. Many such breaches have come to fore, and incidents of misuse of the software been reported.

The most recent report comes from Asia Times, which shows how loopholes in the security of ECMP have allowed for people to impersonate Aadhaar operators. This has further allowed the impersonators to change Aadhaar details, make fake Aadhaar cards, and also change which biometrics correspond to which personal details. That means, someone’s identity can be easily stolen as their personal details can be changed to match with someone else’s biometrics. This can be used for all kinds of frauds. This also means that UIDAI’s claims that biometrics are safe need to be questioned. While the biometric data stored in CIDR (Central Identities Data Repository) might be safe, if it can be misused by breaching of personal data, then that safety does not account for much.

As further insult to injury, a video on YouTube explains how these security problems can be exploited to perform illegal operations, and the uploader of the video has been traced to be an employee at Computer Sciences Corporation (CSC) e-Governance division.

The full contents of FSMI’s letter are reproduced below:

To

Dr. AB Pandey, CEO,

UIDAI.

Dear Sir,

Subject: Security of the Aadhaar personal data and ECMP Software

This is to bring to your attention a very serious issue which has come to our notice. There are WhatsApp messages circulating about a patched version of the Enrollment Client Management Platform (ECMP) software used for off-line Aadhaar enrollment, which can potentially be used to bypass geo-location and bio-metrics, and also change the mapping between personal data of Aadhaar holders and their bio-metric data.

There are also many videos (such as https://www.youtube.com/watch? v=i3ttp72P_Ww) uploaded to YouTube since middle of last year which claim to demonstrate how using a software patch to the ECMP software, geo-location and bio-metric security protection can be bypassed. According to these claims, the following can be done:

1. New Aadhaar enrollment can be made without any verification.

2. That personal information pertaining to existing Aadhaar numbers can be changed, bypassing any security checks including OTPs and bio-metric verification.

If this is true, then it is a matter of very serious concern as it endangers the sanctity of the entire Aadhaar database. We would like to know whether UIDAI authority has carried out any examination of these claims, and if there is any merit to these claims regarding the security of the Aadhaar enrollment software being compromised.

We would also like to bring to your notice that the PayTM account 7041704604 was mentioned in the youtube video https://www.youtube.com/watch?v=i3ttp72P_Ww. This account was tracked down to a certain Bharat B. who claimed to work for Computer Sciences Corporation (CSC) e-Governance division. Since CSC was contracted by UIDAI for Aadhaar Enrollment services, could this possibly be the case of rogue insiders who have used their access to this software to create illegal patched versions and are then selling it to the grey market?

Is UIDAI aware of this, as this has been reported in the press in the last few days? Please refer to:

What are the steps the UIDAI is taking to make the Aadhaar system safe, as the security problems seem to emanate from inherent design flaws in the Client Server architecture of Aadhaar. Also, given that it appears that solicitations to sell the patched version of software seem to have been uploaded to the net, and doing the rounds of WhatsApp from at least the last one year, what is the sanctity of information stored in the Aadhaar database? What steps is UIDAI taking to verify the validity of data already uploaded by private players to the Aadhaar database? And whether it has been corrupted by such rogue patches being sold in the black market?

Given the seriousness of this issue and the imminent threat to our national security given the widespread use of Aadhaar for identification purposes, we hope that UIDAI would treat this matter with utmost seriousness. Hoping to get your quick response on this matter which concern all citizens of India. Continued silence by UIDAI on this issue is only fuelling speculations and rumours regarding what is supposed to be India’s key data service.

Thanking You,

Yours Sincerely

Prabir Purkayastha, President

Y. Kiran Chandra, General Secretary