by Anand Venkatanarayanan

The UIDAI has maintained that the central repository (CIDR) which holds biometric data is safe and secure, even though there is overwhelming evidence that the demographic data outside CIDR held in the ecosystem is very leaky (CIS Report, MediaNama, Global Voices, NIC eHospital, Reliance Jio).

The debate on CIDR safety had obscured an even more important question: “What is the trustworthiness of the entries in the CIDR?”.

An Aadhaar identity is considered more trustworthy than any other identity document in India (except Passports) for ascertaining both the Proof of Identity (POI) and Proof of Address (POA) and the basis for that trust is biometric deduplication.

It has always been assumed that the following are true about biometric deduplication:

“Biometrics can as yet not be faked” (Mukul Rohatgi, former Attorney General of India) Digital representation of any biometric identifier (IRIS, Fingerprint) is unique for an individual and hence can be detected during re-enrollment (“People should not even attempt to enrol twice. They will be caught very easily”: AB Pandey, current CEO of UIDAI)

Why does the belief that biometrics cannot be faked persist, even if there is ample evidence that Gummy fingers (2002) can defeat fingerprint scanners, and a high resolution picture of IRIS (2017) can fool the IRIS scanner?

The hidden assumption behind this belief is that Biometrics cannot be faked during enrollment and even if they were, it would be caught during deduplication.

The Uttar Pradesh Aadhaar case is significant because it invalidates the above assumption. It is important to understand the enrollment process in depth to understand the why and how.

Enrollment

The defining characteristic of the Aadhaar project is the speed of enrollment, while also managing other contradictory requirements such as

Enrollment should be done only by trustworthy agents. Enrollment process must be quality controlled to avoid capture of inferior quality biometric and demographic data. Enrollment must be possible even in places with non-existent internet connectivity. Enrollment must be very cheap as funds were initially limited.

Optimizing for Speed

UIDAI’s solution to the above problems is described below:

Own only the enrollment software and not the hardware.

Establish standards for biometric devices used for enrollment, a certification process and a certification agency.

Design the enrollment software to accept enrollments even in places with no connectivity.

Enrollment operators and/or supervisors need to pass an exam to become eligible, and one of the prerequisites for appearing in the exam was getting an Aadhaar.

Outsource the enrollment operation to third parties as depicted below (Slide #5)

Registrars are paid ₹40 – ₹50 for every successful enrollment and are expected to pass a portion of this to the enrollment agencies, who in turn will pass a portion to the operators running the enrollment center.

This model made UIDAI similar to (but not same as) a platform aggregator for the purpose of enrollment:

Supply meets demand

Taxi aggregators tapped into a latent need for an on-demand, low-cost transportation solution. Their initial focus was on increasing the supply of drivers through incentives. Demand however was highly variable on specific days and even on specific times of the day. When supply cannot match demand, the aggregators have only two options:

Ignore the additional demand and lose money. (OR)

Profit from the increased demand by surge pricing which also tempers the demand in some cases.

Transportation is a repeat need but enrollment and enrollment updates are not. The RTI response to Anumeha Y indicates the practices operators engaged in to maximize their earnings:

Bribe for enrollment (Most Common) Absence of document verifiers (Common). Operator using a photograph of the photograph for the resident (Common). Multiple enrollments of the same person (A few instances). Two Aadhaar numbers generated for the same person (A few instances) Operator using the ID of another operator for enrollment (2 instances) Operator using thumb prints for enrollment (2 instances) Enrollment software working without a thumb print (1 instance)

The primary corrupt practices are standard demand for bribes and skipping document verification, but items 6 – 8 are systematic attempts to find vulnerabilities in the enrollment software. Blacklisting is the standard response by the UIDAI when a complaint is received and verified as true. The scale of the problem is outlined below:

Date Source Total number of Banned Enrollment Operators From 2011 to 27th April 2016 LS SQ 59 11,974 From 2011 to December 2016 Hindu Business Line 33,000 From 2011 to 10th April 2017 Hindu Business Line 34,000 From 2011 to 12th Sep 2017 Times of India 49,000 Operators banned between 10th April 2017 and 12th Sep 2017 Difference between the above 2 columns (49,000 – 34,000) 15,000

Date Source Total number of Active Operators As of 19th August 2016 UIDAI 60,000 As of 9th April 2017 Indian Express 40,000 As of 12th Sep 2017 Operators banned between 10th April 2017 and 12th Sep 2017 (from the table above) 25,000 (40,000 – 15,000)

Fake rides and Ghost Aadhaar kits

The incentive scheme offered by the taxi aggregators spawned novel schemes to create fake rides. UIDAI paid only a fixed sum for successful enrollment and the problem for the operators then was to maximize it. This was achieved through cutting corners such as skipping document verifiers and/or using rubber thumbprints.

Linking Aadhaar to all economic activities under threat of service denial made it the most sought after identity document and also created the demand for a fake Aadhaar ID (ghost).

A fake Aadhaar however is always assumed to be harder to create because only humans possess biometrics. To understand how the ghost Aadhaar making kit was made and sold a description of the enrollment software is necessary.

Enrollment Software

UIDAI chose the approach of releasing a downloadable enrollment software over a web only enrollment to handle absence of connectivity issues.

The steps required to convert any laptop connected with hardware kits the into a fully functional authorized enrollment station are listed below:

Step 4 will only succeed if their Aadhaar ID is associated with the enrollment agency and if their biometrics matches with the one stored in the CIDR.

Hacking the Enrollment Process and Software

Operator and supervisor biometrics (Fingerprint and IRIS) are possibly the only things that stand between converting any laptop into an authorized enrollment station. While It was known that fingerprints can be mould-printed and attached to rubber gloves as early as 2002 (Matsumoto), photographic IRIS authentication techniques are recent (May 2017) and are not commercially available.

Hence instead of attempting to crack IRIS authentication, the hackers simply bypassed it by patching the enrollment application by standard module replacement techniques.

The use of this technique is widespread, in case of other software too. There are cracked versions of Tally, Doom and even the firmware of tractors is prone to this attack.

The Ghost kit

The initial press release (note: this is English translation by volunteers, based on photos from LinkedIn published by a UP Police official, which were subsequently deleted; from tweets: this, this and this; thus caveats apply) indicates the following:

UIDAI knew that the earlier version of enrolment software was abused through cloned fingerprints and added IRIS authentication as an additional security feature.

Fingerprint moulds which works like “Original only” using butter paper, laser printer and resin were used for operator authentication.

Legal standards were bypassed and security practices were not followed.

38 Artificial fingerprints on paper and 48 chemically made artificial fingerprints were found.

The operators were able to create forged aadhaar cards by using the above fingerprints and via bypassing IRIS authentication.

The kit was sold to unauthorized operators for ₹5,000 each to create forged Aadhaar cards using the same operator ID from multiple enrollment stations.

An ET article also indicates that the enrollment operator was able to make forged Aadhaar cards by inserting random or duplicate biometrics into the system and was charging individuals ₹5,000 for each job.

Differentiating a fake Aadhaar card and a fake CIDR entry is important. The former doesn’t require patching the enrollment software, but the latter does. An Aadhaar number is a 12 digit random number issued to any resident if their demographic and biometric details are not flagged down as a duplicate. While enrollment IDs can be used initially to get services, those would be revoked if the enrollment is eventually rejected. Hence obtaining just an enrollment ID would not be very useful.

Further, registration agencies are paid only for successful Aadhaar number generation and not for enrollments and there are 6X penalties for every rejected enrollment because of process errors with eventual blacklisting. Hence there are only one of the following outcomes:

UIDAI detected the scheme and the operators were caught before pushing enrollments as claimed by their press release (OR)

Operators succeeded in defeating the deduplication engine and were able to generate Aadhaar numbers using the ghost kit.

The evidence listed below refutes UIDAI’s claims and proves that the ghost kits were indeed used to generate Aadhaar numbers.

In Telangana

Deccan chronicle reported on Feb 8, 2016 that illegal Aadhaar centres spring up all over Telangana and were using software procured from other sources to push enrollments. Thus the ghost kit was in active circulation as early as Feb 2016.

In a CSC Newsletter

A CSC Newsletter on May 27, 2016 announced the release of enrollment software version 3.2.0.0 which added IRIS authentication of the operator as an additional security measure, which strongly suggests that UIDAI was aware of the usage of artificial operator fingerprints for pushing enrollments. This is further corroborated by the RTI response to Anumeha.

In Kerala

A Times of India article on May 16, 2017 reported that Aadhaar operators announced a three day strike to protest against the mandatory use of IRIS authentication of the operators from May 1st, 2017 for every enrollment. Further a follow up report on May 20, 2017 states that the strike was withdrawn as UIDAI accepted the demand by the operators to not insist capturing the IRIS image for every enrollment.

It is perplexing indeed why the operators were protesting a full year after the introduction of IRIS authentication (May 27, 2016) without understanding the significance of the UIDAI circular on May 1st, 2017. On that day, UIDAI released version 3.3.3.3 which contained the security fix for the bypass attack on IRIS authentication and also other security features (JAR signing) which made module replacement techniques irrelevant.

It is thus possible to logically conclude that for a full year since IRIS authentication was added as a security feature, the operators may have been able to bypass it and push enrollments into CIDR using the cloned software created by the hacker gang and that perhaps the UIDAI was not able to detect it.

The UIDAI, it would appear, was thus not aware of the clone kit until it was not reported by the Uttar Pradesh Police though it is very credible that it detected the anomaly of simultaneous operator logins from various locations after version 3.3.3.3 which was released on May 1st, 2017.

Implications

Biometric mixing can defeat deduplication

An Aadhaar number is assumed to be issued to a “real” person who possesses a unique set of 10 fingerprints and 2 IRIS prints which are captured during enrollment. Hence even duplicate entries which exist in the Aadhaar database, nevertheless correspond to “real” persons who were alive at the time of enrollment.

Biometric deduplication is the basis of that trust. The Aadhaar operators have successfully defeated biometric deduplication by inserting random or duplicate biometrics (ET Article) thus reducing the trustworthiness of an Aadhaar ID and “true” ghosts are now a real possibility in the CIDR.

An ubiquitous Aadhaar has all the characteristics of a currency note such as wide acceptance, legal backing and trustworthiness. Similarly a fake Aadhaar is conceptually similar to a fake currency and has the same attendant problems of traceability and loss of trust. Now assume that the following enrollment was successful through operator collusion:

Anand and Nikhil are two different “real” persons who wanted to create a fictitious person named “Nakhila”.

During enrollment, Anand’s left hand and left eye was used, while Nikhil’s right hand and right eye was used for biometric capture.

Neither used their own photograph, but instead used a photograph of a woman. They submitted forged documents for Proof of Identity and Proof of Address in that name.

The address provided actually exists and the illiterate resident who lives there would receive their mailed Aadhaar slip and notify them to collect it for a small fee.

In the seeding scam case, an engineering college student Rahul Pandit allegedly linked his Aadhaar with his college savings account and withdrew 11 Lakhs from micro ATMs operated by banking correspondents by using his fingerprints. He was eventually traced (though not yet caught) because he was a real person. That would not be possible if Nakhila’s Aadhaar number was linked to a bank account number, as she is a fictional person created in the Aadhaar database by mixing up the biometrics of Nikhil and Anand.

In Going Digital, UIDAI CEO AB Pandey, while defending Aadhaar linkage with bank accounts claimed that the linkage increased security because “In the worst case, if there is an unauthorised transfer from an account, the beneficiary can be identified through Aadhaar”. The fundamental assumption behind that claim is that Aadhaar numbers are issued only to “real” persons, because only “real” persons have biometric identifiers.

Ghosts in the Aadhaar database defeat this assumption because it conflates existence of a person with biological characteristics such as fingerprints and IRIS with existence of an entry in the CIDR. While it is certainly possible at full enrollment levels that every resident in india will have an Aadhaar number, it does not necessarily mean that every Aadhaar number is given to a “real” person.

eKYC and eSign

Discounting biometrics, the strength of any electronic Know Your Customer (KYC) process is dependent on the trustworthiness of the verification process. If the verification process is lax or non-existent, the entries in the central repository do not form a trustworthy basis for financial transactions such as bank loans.

Absence of document verifiers is a common “cutting the corner” practice that the operators engaged in, while carrying out enrollments as the RTI response discussed above indicated, thus undermining the trustworthiness of the eKYC process. The wilful addition of ghosts to the CIDR by biometric mixing further undermines the confidence, as there may not even be a real person associated with an Aadhaar number.

Conclusion

The basis of any economic transaction is “Trust”. A currency note printed by the RBI enables large scale transactions as it solves the problem of trust. It does so by adding security features that makes it difficult for another entity to create fake notes. Besides exceptional control is exercised by the RBI on the issuing entities as well as the supply chain since if they are compromised all is lost.

It may be useful to think of “Aadhaar” as the basis for solving the “Trust” problem of “Human Identity”. UIDAI then becomes equivalent to the RBI which guarantees the trustworthiness of the issued Identity. The key difference in this analogy is the presence of a large number of third party entities which are incentivized to compromise the various security features put up by the UIDAI to certify trust at the initial stages itself, thus compromising the very basis of the project.

UIDAI as an government organization is severely underfunded to solve the problem of “Human Identity Trust” and tried to manage the budget deficit by enrolling third parties in the mistaken belief that an incentive based scheme for successful enrollment will unleash market driven innovation. But market driven innovation based on incentives also unleashes fraud as many of the other platform companies eventually found out.

The scale and the impact of the frauds are usually harder to contain as the platform becomes more ubiquitous. It is unclear if UIDAI has the required competence to handle these issues since it is an Identity Monopoly backed by law and hence has no incentive to improve, unlike market driven private entities.

So far it’s preferred approach seems to be to become an entity that is “Too big to fail”, rather than become an entity that offers great value and hence become “Too good to scrap”.

***

Anand Venkatanarayanan is a Senior Engineer at Netapp. Views expressed here are personal and do not reflect the views of his employer or of MediaNama

Note: This post is published under CC-BY license. You may republish this post with credit to the author: Anand Venkatanarayanan