One of the consequences of the demonetization drive which was prompted as much by the declared need to suck black money in cash form as to starve terrorists and Naxalites of their funding, and drying out political parties of their cash holdings, is that we are suddenly left with an economy which is charging towards a cashless or less cash economy. I am not sure if the forced pace of movement towards digitization of payment systems was factored into the demonetization decision.
It is in this context we need to see the increased risks that may come up when the Niti Ayog’s suggestion of payments authenticated by Aadhar number on a mobile without PIN or password or even a Card should be subjected to a security risk analysis.
According to the statement of the Niti Ayog and UIDAI authorities, (Refer here) the mobiles would use a finger print input and aadhar number inout in an app and enable fund transfers perhaps using both USSD and UPI interfaces in a feature phone or a smart phone.
The first risk that we need to factor in here is that if the mobiles are Chinese made, then the information both of Aadhaar as well as the payments may get passed through Chinese servers subjecting the country to a huge financial risk.
If the app is limited to Indian mobiles where some form of security oversight is possible, then we are still left with the OS related hacking prospect. We cannot discount that in the past the only attempt made to provide security clearance to devices was attempted by a team led by IISc under the funding of Huawei and if the same team now vets the indigenously developed mobile phones, it is doubtful if we are sufficiently mitigating the risk.
Since any such system places the two uncorrectible identity parameters namely the biometric and aadhaar number in circulation across insecure networks, it will permanently compromise the Indian citizen’s privacy to a level where nothing but scrapping the aadhaar system will be able to restore semblance of order.
I am not sure that the Government or the Niti Ayog has evaluated such risks and how they are likely to handle a situation where the 1 billion aadhar holder’s biometric and financial records become available to Chinese Government.
I request Mr Ajay Pandey of UIDAI and Amitabh Kant, CEO of NITI Ayog to clarify how they intend responding to this risk.