How Safe Is Your Biometric Data? The Potential Pitfalls of Aadhaar

The Quint’s roundup of top headlines from national dailies.

Last week, the government managed to pass the Finance Bill, which made Aadhaar mandatory for services from getting a SIM card to filing taxes. Yes, the same Aadhaar that makes a database of citizens’ fingerprints and iris scans, and that until recently was optional.

Aadhaar is on it’s way to becoming the only identity card in the future. But, a major component is biometric identification technology, and technology can always fail. What happens if a software cannot recognise you? Or what if you don’t have biometrics that can be scanned?

With Aadhaar, you’ve given your fingerprints and iris scans to the government - the things that definitively set you apart from the next person. But, where do you go if you can’t prove your identity to get food for your child or medical aid for your ailing parent?

With over 500 crore Indians possessing an Aadhaar card in 2017, The Quint spoke to security experts about the potential pitfalls of biometric scanning.

Does Aadhaar Universally Incorporate?

For enrolling to get an Aadhaar number, Unique Identification Authority of India (UIDAI) laid down three parameters on scanning biometrics – iris, fingerprints and face. However, these are only for the ages 5 years and over.

While people with visual disabilities were incorporated in the initial sample size, that isn’t the only kind of disability that exists.

There are people with amputated limbs, those who could have gotten facial reconstruction surgeries due to accidents AFTER their Aadhaar card was made, or those whose fingerprints cannot be scanned due to manual work such as fishermen, construction workers, or those working with salt.

Are these people being taken care of by the government?

Ever-Changing Rules for Biometric Scans

There are two categories of people for whom Aadhaar rules are changed – the disabled and children.

For those with vision impairment, there is introducer-based enrolment and for those without fingerprints, iris scans are taken.

The Quint spoke to Kiran Jonnalagadda, the founder of HasGeek and trustee of Internet Freedom Foundation (IFF) about introducer-based enrolment.

IFF was born out of savetheinternet.in, and works on issues of net neutrality, freedom of expression and privacy.

When a person cannot prove their address or identity, introducer-based enrolment is used. There are multiple introducers in every geographic area, and belong to the government and other agencies like civil society groups and banks.

An introducer’s identity is used as a crutch to establish another’s identity, to help get more people into the system.

“For people with handicaps, UIDAI has taken care to give people an Aadhaar number with just one of the biometric scans,” says Jonnalagadda.

However, the problem arises when they go to avail services from a merchant, say, for rations. If your card was made with only an iris scan but the merchant only has a fingerprint scanner, then you are left with no option.

Children and Aadhaar

For children under 5 years, facial scans along with ID proofs of their parents/guardians will be taken. The proofs include their Aadhaar/ID cards, their relationship with the child, address, and capturing of their biometric information. But this information needs to be updated after the child turns 15.

Shortcomings of Aadhaar

Jonalgadda said, “The problem with Aadhaar is with its deployment. Merchants and those who are using Aadhaar scanners for providing services, are supposed to have both iris and fingerprint scanners.”

When asked if there have been cases of people not getting their face recognised due to any facial reconstruction surgery done after getting their Aadhaar number, Jonalgadda said he wasn’t aware of any such instance.

Is Security Compromised With Just One Scan?

It’s clear that Aadhaar cards can be made with either just an iris scan or fingerprints.

The Quint spoke to Nikhil Pahwa, the co-founder of savetheinternet.in to ask if taking both scans does mean more security.

It makes the database more dangerous. The people talking about security are talking from the perspective of impersonation and how someone cannot impersonate someone else. Security not just about impersonation but also about security of the database.

However, according to Jonnalagadda, the two scans are for backup and for additional security to the database. He also said that finger scanners are more widely used because iris scanners are much more expensive.

Dual-Scans to Profile Citizens or Prevent Number’s Misuse?

Even if both the scans are being taken to strengthen the database, there’s always more to a story than meets the eye. Is the government’s ‘extensive database’ just profiling citizens, much like criminals, by taking iris scans and fingerprints?

Pahwa said, “(taking both scans) is a clear issue of profiling.”

Health information, mobile number, financial details of a person are all linked to the Aadhaar, which is nothing but their profile. 

However, Jonnalagadda was of a different view.

According to him, “The two scans are taken for everyone so that you can’t get two Aadhaar cards made for a person, one using fingerprints and another with iris scan”. 

But if only one biometric were to be captured, there would be a section of people unable to avail of it – either visually impaired people who couldn’t take iris scans, or people whose fingerprints didn’t work for fingerprint scans – which is why both are taken.

Will Biometric Theft Become More Common?

Sameer Kochhar, entrepreneur and president of the think tank Skoch, recently pointed out in a video how simple it is to illegally store someone’s fingerprints, for which an FIR was registered against him.

In February, UIDAI even lodged criminal complaints against Axis Bank, Suvidha Infoserve, eMudhra for illegally storing and using Aadhaar data to impersonate people and carry out transactions.

Aadhaar is moving towards becoming the one, all-encompassing digital identity. How common will biometric theft be, wherein a person’s fingerprints or iris scans are stolen?

Pahwa said that when all the identities are linked and a hacker gets access to them, all the digital identities of a person are at stake.

He said, “As a hacker, you will be able to get the one thing that manages to identify people without fail and get access to any information about a person.”

He said that the one way of ensuring theft doesn’t occur is to “not have a single-point that connects all your identity to a database.”

“A Risk Not to Fret About Yet”

But Jonnalagadda doesn’t think biometric theft is to be worried about, yet.

Kiran JonnalagaddaBiometric theft is a far out possibility. It’s 100 times more likely that someone has a paper copy of your Aadhaar and misuses that. Sameer Kochhar’s video was more of a replay-attack, not biometric theft.

How does Replay-Attack Differ from Biometric Theft?

In the former, the person scans their finger/iris at least once. It can be captured by the scanner and stored to use later, without the person being present.

For the latter, it’s done by hackers, without the person ever needing to give their biometric scan anywhere.

Kiran JonnalagaddaYour fingerprint can be stored the first time you place it on a scanner and for any other transaction, even if you are not present, your fingerprint can be used to authenticate a service on your behalf. Nikhil Pahwa When all of a person’s data is a part of the database, it becomes dangerous as it becomes vulnerable to theft. It’s only a matter of time before that it starts to happen.

For this reason, it is not advisable to link all your data or have it all stored in the same place, as Pahwa explained.

With these obvious shortcomings of the Aadhaar, how safe is your identity?