As reports are emerging of personal data associated with Aadhaar ID being sold in alternate markets for as little as 500 Indian Rupees, are we witnessing the weaponization of identity becoming a reality?
Introduction
Identity, identification systems, and ID are evolving. As seen across nations, there is an intense effort going on to redefine national identity: who they are, where they belong, what their culture should be, and what they believe in as a nation. Simultaneously, efforts are also going on to define and design national IDs, including digital identity, identification systems, and IDs for all citizens. National identification systems are emerging rapidly, and the focus seems to be increasingly around digital identity systems and ID.
The human ecosystem is on its way to expanding beyond cyberspace, aquaspace, geospace, and space (CAGS), and many countries and corporations are already making serious plans to establish colonies on the moon and beyond. At the same time, humans are also creating human-like machine intelligence, which will be embedded into human-like robots, drones, matter, and more. So, understandably, when there is a need for establishing identity and an identification system for all forms of intelligence (humans + algorithms), should not our efforts be on defining a single human identity and identification system, rather than those based on individual nations?
National ID
Due to the growing promise of digital ID and digital identification systems, many new national initiatives are emerging to create digital identities for its citizens. However, in many of these nations, the efforts are proving to be challenging due to the lack of adequate legal frameworks, regulations, processes, identification and authentication tools, technologies, and more. As a result, human identity fraud is becoming a growing security problem.
Now, irrespective of whether identity fraud is tied to social security numbers (SSNs) in the United States, national insurance numbers in the UK, UID numbers in India, or the digital ID in Estonia, the emerging reality of identity fraud, crimes, and complex privacy and security risks are becoming a cause of great concern for everyone across nations.
Acknowledging this emerging reality, Risk Group discussed India’s Aadhaar ID on Risk Roundup with several decision-makers from across nations.
Risk Group discussed India’s Aadhaar ID on Risk Roundup with Prof. Subhajit Basu.
Risk Group discusses Complex Challenges of Securing India’s National ID Database with Prof. Subhajit Basu, an Associate Professor in Information Technology Law (Cyberlaw), Chair: BILETA, Editor: IRLCT, School of Law, the University of Leeds based in the UK.
Republic of India’s Aadhaar Act
Defining and designing any system at a global or national level is a complex challenge. We are currently witnessing the design, development, and deployment of the national digital biometric identity system, the Aadhaar ID. When we examine its development processes, data protection methods and processes, privacy policies, integration capabilities, and impact, while also hearing serious charges against it, it is essential to evaluate it thoroughly. The Aadhaar system determines not only the privacy and security of the human population of India but also the security of systems tied to the Aadhaar ID. As the Aadhaar ID system was designed to be portable and adaptable, it is now tied to many systems and is increasingly used.
The Aadhaar Act is the world’s most massive human identification number scheme, with the biometric details of over a billion people stored in the database. It is important to note that the Unique Identification Number, run by the Unique Identification Authority of India (UIDAI), is not a proof of citizenship. The Aadhaar ID number is simply a random number that is assigned to unverified and unaudited biometric and other data submitted by private enrollment agencies. Since the UID database has never been audited according to the global industry standards by either the CAG or the Registrar General of India, the question then emerges: how could the UIDAI establish how many of the billion numbers they issued were to genuine residents with proof of residence, and how many were fraudulent identities? That brings us to further essential questions:
1. When Aadhaar authentication by private entities is now unconstitutional, and Aadhaar does not and cannot identify anyone, should it still be in use?
2. Should there be a verifiable process for auditing UID databases?
3. When the UID ID is questionable, why was it being tied to the financial system?
Aadhaar was mandatory for a large proportion of India’s population for some time. While the Indian Supreme Court ruled that Aadhar identification by private entities was unconstitutional, it also ruled that the controversial identification system is constitutional. It also has removed the mandatory linkage with opening bank accounts. Questions still remain about its retention of data, data authenticity, privacy, security, as well as the commercial exploitation of biometric and demographic information by private entities.
Like India, as more nations move towards Digital National ID schemes with similar structural flaws and security vulnerabilities, the emerging mass identification databases are creating privacy and security risks for data, humans, and systems at all levels. How vulnerable to security challenges are any and all nations when using such digital identification systems?
It is not just the Aadhaar ecosystem. The reality today is that security best practices and protocols are not defined, designed, and deployed uniformly. When systems like Aadhaar are built in such a way that information about individuals can be accessed not just from the central UIDAI servers but also from other third-party private databases where Aadhaar numbers are linked with their respective datasets, it is a cause of great security concern.
Additionally, reports are emerging of personal data associated with Aadhaar IDs being sold in alternate markets for as little as 500 Indian Rupees ($7.27 or £5.83). Even software to print the Aadhaar Card is sold for a few hundred Indian Rupees. Although such national identity projects hold immense potential in improving public service delivery and governance structure, there is a need to keep security at the center of any and all such national ID developments. That brings us to an important question: when a security breach happens, who is accountable?
Risk Group also discussed these security concerns with Prof. Aman Aggarwal from India.
Risk Group discusses the Security Risks of the Aadhaar Payment System with Prof. Aman Aggarwal, a renowned economist, and a senior vice-chairman at the Indian Institute of Finance based in India.
Security Risks of Digital Biometric ID Systems
The use of biometric technology in the Aadhaar ID will likely have a profound impact on India’s security. While the rapidly evolving biometric technologies seem to offer on the surface much-needed secure identification and authentication solutions for nations, there is a need to evaluate its potential vulnerabilities.
The reason behind that is biometric ID systems are not just vulnerable to hacks; once the identity is compromised, it is almost impossible to fix it. Due to the complexities and impact of the potential of hacking, there is a need to protect collected biometric data from any abuse and misuse as it is being collected, processed, stored, and accessed. Moreover, there is a growing risk of artificial intelligence (AI) systems compromising biometric indicators. So, as we evaluate the insertion of biometric technology for Aadhaar ID, it seems security is still lacking in the Aadhaar ecosystem: its design, development, and deployment processes, policies, tools, and technology. While biometric ID systems seem secure on the surface, the security appears to be an illusion because once biometric data has been compromised, replicated, or superimposed, there is no way to undo the damage to humans, human identity, and the identification system.
The need to define effective procedures and policies to adequately protect biometric data from abuse and misuse remains. Moreover, the risks to performance, accuracy, privacy, interoperability, multimodality, and many other risks need to be understood and effectively managed. While personal data, biometric data, and network hacking security risks raise serious concerns, the rapidly evolving fraud capabilities (due to spoofed sensors and sensor inaccuracy) is also a cause of great concern. And perhaps most importantly, while the use of biometric technology was not designed for the invasion of privacy, the ways the digital biometric ID data is produced, stored, compared, and possibly linked to other information about the individual raises serious security concerns for the blurring boundaries between privacy and security, and security and surveillance.
What Next?
The Aadhaar ID, a digital biometric ID system, has been defined, designed, developed, and in use. While on the surface this has enormous potential, the question is whether India is prepared for the existing and emerging security threats that are sure to come it’s way?