NIC Security Blunder Compromised Aadhaar Data

Before Aadhaar, when a telecom operator wanted to verify the identity of a customer before issuing her a SIM, an employee of the firm would visit the client’s home to check the identity and address. This process is known as Know Your Customer, or KYC — the process of identification and verification of a client by a business. So far this process used to be carried out physically.

The introduction of Aadhaar made it possible for this process to be carried out digitally, through eKYC.

The eKYC service can be used by banks, telecom operators, mutual funds, etc to verify identities of people opening bank accounts, getting new SIM cards, or investing in mutual funds. It saves the company from the hassle of visiting a new customer’s home for verification. Instead, a company can simply request access to Aadhaar data stored in the UIDAI’s (Unique Identification Authority of India) server and verify all the details given by the customer. While this seems like it makes the job easier for everyone, the poor security of the Aadhaar database makes it susceptible to theft by anyone with minimal knowledge of the Internet and web development.

Alt News published an article yesterday on how exactly a 31-year old MSc graduate, Abhinav Srivastav, from IIT Kharagpur was able to get unauthorised access to Aadhaar data. It implicates both Srivastav, as well as NIC (National Informatics Centre), which built an Android application with huge security lapses. Srivastav was able to use the loopholes exposed by the NIC application to get access to Aadhaar data of around 50,000 people stored in the UIDAI server.

To access the Aadhaar database, you primarily need two things: one of the APIs (Application Programming Interface) built on top of the database, and the API’s security key. An API is a service which takes in your data query, and returns the result. For instance, if I have to verify my Aadhaar details, I will go to the official UIDAI website and enter my Aadhaar number. I would then receive an OTP, upon entering which, the website will show me all my details. Here, the API took my Aadhaar number, found all the information saved for that number, and returned that information to me. But the Aadhaar APIs are not public services. If they were, anyone would be able to use them to access Aadhaar information. Only authorised vendors have the details on how to use the APIs.

NIC built an Android application, called eHospital, which made the security key and the APIs they used easily available to anyone who would attempt to view it. That is how Srivastav was able to piggyback on top of the APIs exposed because of eHospital and access Aadhaar data.

The NIC app had a service for booking appointments at different government hospitals. To verify the identity of the person booking an appointment, the app used eKYC. Thus, it was using information in an individual’s Aadhaar card for identity verification, and had access to the Aadhaar database.

NIC is one of the 27 organisations which can directly access the UIDAI’s data store. These organisations with direct access are called ASAs (Authentication Service Agencies). There are 254 organisations in total which have the permission to use Aadhaar data for identity verification. If the organisation is an ASA, it can access the Aadhaar database directly. Otherwise, it can access it through an ASA. The NIC app, eHospital, was never audited by the UIDAI, and there are many other such similar apps which were not included in the scope of the audit. This means that inspite of UIDAI’s claims of the Aadhaar being extremely secure, it in fact isn’t, and it won’t take much for someone’s identity to be stolen and used for all sorts of illegal purposes. This data can also be used for surveillance and profiling, both of which are serious privacy violations.

The security risks of having a centralised database storing identity information for an entire country are recognised internationally. For this reason, first world countries abandoned similar projects of having a biometric linked unique identity, as covered in an earlier report. The major argument used by the government to support Aadhaar is that welfare schemes can only be implemented successfully using Aadhaar. But this also has been proven wrong. Instead of facilitating easy implementation of welfare schemes, Aadhaar has in fact hindered it. Despite massive opposition and many more such data leaks earlier, the government is still pushing for Aadhaar to be mandatory. The purpose of Aadhaar then does not remain welfare of the people, but welfare of corporates and establishment of a surveillance state.

Disclaimer: The views expressed here are the author's personal views, and do not necessarily represent the views of Newsclick.