New Delhi: All of our private data submitted with the UIDAI for Aadhaar have been stored in a system that is “too open to abuse”. This is what three IIT professors have concluded in their study on Aadhaar, which is now lying with the UIDAI.

IIT-Delhi professor, Subhashis Banerjee said, “We have identified insider leaks and attacks as the biggest threat to data security and recommended a complete overhaul of the access control architecture.”

The three professors had earlier suggested the introduction of an additional Virtual ID along with the Aadhaar number for added security, soon after which the UIDAI introduced the 12-digit security cover.

In a bid to address privacy concerns, the UIDAI had on January 10 introduced the Virtual ID, which Aadhaar-card holders can generate from its website and submit for various purposes, including SIM verification, instead of sharing the actual 12-digit biometric ID.

The IIT professors have identified other security flaws in Aadhaar and have presented their observations as “Privacy and Security of Aadhaar: A Computer Science Perspective”.

Looking at the reception that UIDAI may have given to their suggestions on Virtual IDs; the experts have now suggested that these new IDs should not become effective instruments only for the privileged ones and a cause of distress for others.

Shweta Agrawal from IIT-Madras, Subhashis Banerjee and Subodh Sharma from IIT-Delhi presented their paper to UIDAI last year.

The three believe the infrastructure looks strong against external attacks but perhaps would be inadequate against insider leaks.

Moreover, according to the study, in the system used to store all symmetric and private keys and hashes within the UIDAI, “perhaps obfuscated, but trust is implicitly assumed and this is a design flaw.”

The presentation further talks about how there is “no well-defined approval procedure for data inspection for investigation or for analytics. No audit, certification of codes and programs.”

The entire system of Aadhaar has been seen as “too open to abuse” where “insider leaks and unauthorized inspection by personnel and organizations with access are the biggest security risks.”

PRESENTATION TO UIDAI

Speaking to News18, Banerjee said that they completed their paper in August 2016 and submitted it to the UIDAI in September 2017.

“We had suggested the option of Virtual IDs in our paper and their initial reaction to the paper was that it was too theoretical. But on the whole UIDAI have been receptive to the suggestions,” said Banerjee. He is working on data protection law and would like to send the recommendations to the government-appointed Srikrishna Committee which has invited suggestions on data protection, portability and consent etc.

Banerjee has been engaging with UIDAI officials since summer 2017 on several issues. The three professors have identified three major architectural flaws in UIDAI’s design of Aadhaar.

THE THREE FLAWS

Listing the three flaws, Banerjee said, “The use of biometrics should be limited to only identity verification instead of making it the sole factor for authentication and authorization.

“The second flaw is the use of a single global identifier such as Aadhaar in different unrelated application domains. We have suggested that local virtual identifiers should be issued for each silo and that UIDAI should securely maintain the mapping between them.”

And, thirdly, it is the big risk of insider leaks and threats, which is a severe program design flaw.

The three professors have recommended that data should be accessed only through pre-approved and tamper-proof computer programs, and that an online and independent regulatory authority should authorize, facilitate and monitor all data accesses.

THE DILEMMA OF VIRTUAL ID

Professor Banerjee explained, “Virtual IDs prevent unauthorized linking of databases using a global ID, thus preventing illegal profiling of individuals. Information theft, however, can happen in other ways as well — both due to architectural flaws and due to incorrect implementation.”

Since virtual IDs are being introduced post-facto, the professor believes it’ll be crucial to ensure that all services that use Aadhaar irrespective of whether it is by the state or private companies, should only use Virtual IDs.

“Ensure that there is an effective migration plan to replace the Aadhaar IDs with Virtual IDs. This should preferably be done by the authorities themselves without causing distress to people or making them run around.”

“Considering the complex demographics of our country, with a large fraction of the population lacking the necessary cultural capital to self-manage Virtual IDs, it may cause distress to many. Otherwise, the Virtual ID will end up becoming an effective instrument only for the privileged and a cause of distress for the others.”

CRITICS AND DATA PROTECTION LAW

The IIT professors are of the notion that criticism around Aadhaar is essential. Banerjee said, “Dissent and debate are essential for working out effective solutions and critics and the civil society have done a great job in pointing out the exclusion and disruption that Aadhaar has caused. It would only put a much-required emphasis on data privacy and brought in the scholarly privacy judgment.”

He added, “The chances of an effective data protection law being worked out are now high. I, however, wish that there were more rigorous and causal analyses and even more alternative design suggestions.”

Banerjee is currently working on data protection law and would like to send the recommendations to the Srikrishna Committee.