ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

(Disclaimer: The opinions expressed in this column are that of the writer. The facts and opinions expressed here do not reflect the views of www.economictimes.com .)

The latest episode of the Aadhaar data-breach drama is playing out in the media since the last few weeks. It’s being claimed that there is someone who has the Aadhaar data of a billion residents and a breach of catastrophic proportions has happened.In the previous episode, the breach was created by aggregating the published beneficiary data on various government websites, which included Aadhaar numbers. During that time, I had written in this publication that there had been no data leak ( goo.gl/hCJZL8 ). If all these breach claims were true, no part of Aadhaar data would have been left secure. The fact is that there has been no data breach till date.First, the Aadhaar number is not a secret number. In fact, it is just a unique random number associated with a person. The other pieces of information that Aadhaar has are the name, gender, date of birth and communication address of the holder. None of these is secret information. If a policeman on the road suddenly gets hold of you and asks your name and address, you are mandated, under law, to truthfully disclose that. No harm can be caused to a person if somebody has a copy of his Aadhaar letter.The Unique Identification Authority of India (UIDAI), since 2012, has created a facility, e-Aadhaar , to ‘Know Your Aadhaar’ status and to download a digitally signed Aadhaar letter with password protection. This is in keeping with the fact that Aadhaar is the world’s first online digital identity and the token (Aadhaar letter) has no chip or ‘smartness’. The UIDAI has publicised that there is nothing called an ‘original’ Aadhaar letter. You print the letter from the website and it is good enough to prove your ID, provided it can be verified online. The online authentication of identity is printed on every Aadhaar letter. Aadhaar has various ‘flavours’ of authentication, including a demographic one.The background to setting up e-Aadhaar in 2012 was that there were a large number of cases, especially in the rural areas, where the Aadhaar letter was not delivered, had been lost, or was not generated for some reason. If nothing was done to inform the resident of the status of her Aadhaar, she would have continued to get harassed and would probably have gone to enrol again. Her enrolment would have been rejected the second time since her Aadhaar had already been issued. She would have been running around in circles. Hence the availability of e-Aadhaar to every resident.While one can use e-Aadhaar one one’s own, it can also be done at any common service centre (CSC), or through one of the UIDAI’s contact centres. State governments have also been given this search facility to ensure proper seeding of Aadhaar numbers in various databases. For traceability, each person has been assigned a username and a password.In the current controversy, one of the persons who had access to the search facility sold his credentials to somebody. It was, thus, claimed that the purchaser of these credentials has access to the entire Aadhaar database. Yes, he can now enter an Aadhaar number and download the Aadhaar letter relating to the concerned person.But he will then have to guess and plug in a billion Aadhaar numbers a billion times, and enter a ‘captcha’ (completely automated public turing test to tell computers and humans apart), a challenge-response test, for every transaction, and then alone can he download the e-Aadhaars. Guessing is also difficult as every 12-digit number is not an Aadhaar number. The chance of guessing correctly is only 1%. There are 10,000 crore 11-digit numbers—the 12th digit being a ‘check number’.So, if one person shares his credentials with another for a consideration, can this be called a data breach that exposes the weakness of the system? This is not a breach of system, but a breach of trust.A facility which was being used since the last six years to search and print Aadhaar letters is suddenly turned into a scandal about a Great Data Breach. This is as ‘fake news’ as it gets.The entire list of electors in India is available online with all these details. Under the National Population Register (NPR), it is mandatory to publish the list of residents publicly. Telephone directories have such information. Yes, Aadhaar also has your biometric information, which is the real sensitive information. Biometrics are first used to ensure uniqueness, and subsequently to carry out online authentication.So, this is the real news: not even a single biometric data, repeat not even a single biometric data, has been leaked in the last seven years since the first Aadhaar was issued. If that is not adequate security, what is?Aadhaar is like a detergent which is going to clean whatever it is applied on. When Aadhaar was being used by the poor for getting their entitlements, it was deemed okay. Now that it is cleaning other systems to check things like benami properties and tax evasions, it is becoming too dangerous for many people.This latest episode is part of a sustained campaign launched to discredit Aadhaar. One can safely expect the next episode of this drama in the not-so-distant future.(The writer was the first Director General, UIDAI)