Aadhaar Adds another security layer to frustrate “Benami” s.

It appears that UIDAI is in race with the Supreme Court to ensure that the Court does not take any decision to question the use of Aadhaar as it is presently planned.

Aadhar has evoked a mixed response from the public. All those who consider that we need to root out corruption are happy with the Government linking Aadhaar as a unique ID to many of the services which involves payment out of the Government funds. They are of course worried about the security of their money in the Bank if Aadhaar can be misused. Their objection will continue on the AEPS systems where biometric of the Aadhaar gets collected by thousands of merchant establishments and can be misused.

But those who had a stake in benami accounts and corruption have been perturbed with the linking of Aadhaar to  PAN and Bank accounts. Government is now talking of linking Aadhaar to property registrations and this is the last straw that will break the back of corrupt people who had grown stronger and stronger during the UPA regime and were slipping away from the clutches of law. There is no doubt there are many Government servants also in this group as well as the businessmen and politicians. I will not be surprised if there are some Judges also in this group.

Along with these people there are another set of people who are not corrupt and may not have any black money but are naturally opposed to any negligent IT implementation where there are security loopholes. So far UIDAI has been fighting these security specialists out of its own ego and created a lot of enemies. Some of these are advocates of “Anonymity” who have a false sense of pride in hiding themselves from regulators and work in the darkweb in the Bitcoin economy and for them any “Identity” is an anathema. They therefore oppose Aadhaar as a matter of principle as it represents the height of “Identified online transactions”.

On the other hand, there are a large number of illegal migrants and beneficiaries of Government schemes, in fake employment with the Government, holding fake ration cards, fake SIM cards etc who obviously want their anonymous life to be protected so that they can continue their illegal activities and terrorist pursuits. The politicians who are opposed to Mr Modi and all the pseudo intellectuals including those advocates who are fuelling the Judges revolt in the country and supporting the “Bharat Tukde Karo Brigade” use all disgruntled persons with anti Aadhaar agenda with the help of Journalists who have their own axe to grind.

Some of the political opponents had hoped that Supreme Court may scrap Aadhaar under Privacy violation charges and had been preparing for the same in the last several months. They thought that with the assistance of some technical experts, they can show case the security weaknesses of Aadhaar and get it scrapped.

The Prashant Bhushans, Dushyant Daves, Kamini Jaiswals, Indira Jaisighs, D.Rajas, Rahul Gandhis etc are all there to ensure that the Supreme Court can be influenced by managing friendly benches in the Court. They were first frustrated by the CJI who is not playing ball in distributing cases as per the wishes of the political opponents of BJP.

Now, UIDAI itself seems to have wken up from its slumber and making some vital moves on improving the security of the system.

First such move of UIDAI was to harden the security with the Virtual Aadhaar ID. Leaving aside the argument that this should have come earlier, the security specialists have lost an important battle because of this change that UIDAI has proposed. Now they have to wait for implementation failures before the next round of security related vulnerabilities can be raised.

The other category of complaints were from politicians and NGOs who were complaining that people are dying because of Aadhaar authentication failures. There were many such complaints brought out in the Bangalore consultation of the Data Protection Bill. Here the complaint has been that many poor people have been denied of the rations because their Aadhaar was not available. Some of these instances may be real but the problems are not because of Aadhaar. It is because of other factors including lack of awareness and lack of effort on the part of the subjects. NGO s who are now complaining should devote time in assisting these poor people rather than creating statistics of who dies because of non availability of ration.

The Face Identity now introduced by Aadhaar would address this issue and say that  those who could not get their finger prints accepted, can now provide face recognition.

The concept is having potential and we should see how the implementation goes.

It is possible that teething troubles may come up for both the schemes namely the Virtual Aadhaar ID and the Face recognition and they will again be highlighted by Aadhaar baiters as reasons why Aadhaar should be discontinued. But the problem for them is that in the immediate proceedings before Supreme Court, the Government will be able to put up a strong defense which may be enough to atleast prevent any catastrophic decision from the Court.

I would however like UIDAI to consider this as a reprieve for the time being and ensure that in the breathing time now available, they try to address other problems before any major disaster occurs.

I suggest some of the following specific things to be done in this regard.

  1. Introduce a good Bug Bounty Program that rewards security professionals who can spot vulnerabilities and reward them handsomely. This will create an army of friendly security professionals who will be on the side of the UIDAI rather than on the other side.
  2. The Bug bounty program should be extended for disclosing the vulnerabilities even at the AUA/KUA and Merchant level so that the entire Aadhaar ecosystem is part of the Bug bounty program and not only the CIDR. This will also be good to protect the ego of UIDAI since they may otherwise find it difficult to admit that there could be vulnerabilities even in the systems under their control.
  3. The face recognition system which becomes available can be also used with other innovative systems of integration with the Virtual Aadhaar ID, multiple biometric records and OTP to develop a combined security algorithm that not only is difficult to break in the future but also creates a cover for the data already lost. UIDAI needs to shed its complacency and work towards improving the security to ensure the survival of the system for their own good and for the good of the society. How this can be done is outside the scope of this discussion.

The net impact of the recent measures of UIDAI is that Supreme Court cannot blindly take the argument of the of the anti-aadhaar lobby and jump to conclusions. They will have to atleast make an attempt to consult other experts to find a credible argument to oppose the new system. This will take time and hence there is a new lease of life for Aadhaar for the time being.

Beyond this, we need a bench where four out of five judges would be friends of left parties and activist advocates to convince them that Aahdaar should be scrapped. Hopefully such an opportunity will not arise.

I am not also convinced that the opposition to Aadhaar is firmly grounded in the “Privacy Debate”.

The argument is that linking of “Aadhaar” to PAN or other activities on a “mandatory” basis is a violation of the fundamental right under Article 21 of the constitution. The linking of Aadhaar to another identity such as PAN by itself cannot be considered as “Disclosure of Privacy Information” which is also “Unatuthorized”.

The IT authorities may in their IT returns take a “Consent” (If they are not doing so far, they can do so now) to make the information available to Government agencies for purposes of Governance and efficient tax collection.

No Citizen should be considered as having a “fundamental right to hide” and refuse to allow the Unique and Universal ID called Aadhaar to be used  for tracking other activities that are directly or indirectly relevant to the proper Governance of the nation.

All arguments now are that “Government is incapable of information security and therefore the linking of Aadhaar is indirectly a failure of the Privacy protection”. This argument has been substantially weakened after the current moves.

At best, more assurances from the Government may be called for to provide confidence to the public. There can be better checks and balances at the intermediary Aadhaar end to check misuse and make the intermediaries solely liable for security failures.

This liability of the intermediaries is already available since they provide services to the public under a contractual consent and if these are not fulfilled, they are answerable under ITA 2000/8 and/or the proposed new Data Protection Act besides the penalties under UIDAI act.

In view of the above, Aadhaar may get over the crisis for the time being.

Just as Hardik Pandya in future will not forget to ground his bat while running, UIDAI should not forget to  ground the bat within the information security precincts.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.