Information is power, and in the twenty-first century, information warfare is another vertical which nation-states need to be worried about.
Information is power, and in the twenty-first century, information warfare is another vertical which nation-states need to be worried about. 
Magazine

The Threat Of Aadhaar-Enabled Surveillance

BySrinivas Kodali

The cost of mass surveillance enabled by Aadhaar to a democratic society would be enormous, with all our rights being at the whims of governments.

The Aadhaar project has faced heavy criticism over the past two years because of the manner in which it is being forced upon citizens and concerns of potential privacy violations, surveillance by state and non-state actors apart from the high rate of failure with biometrics for elderly/differently abled people. The Unique Identification Authority of India (UIDAI) and the proponents of the project have always claimed Aadhaar is privacy by design and collects minimal information. The Minister for Electronics and Information Technology Ravi Shankar Prasad loses no opportunity to flash his Aadhaar card at public events and point out that it has only the name, date of birth, gender and address and that the enrolment process does not collect religion, caste and other sensitive information.

All these claims fall apart in the case of the State Resident Data Hubs (SRDH), another important component of the Aadhaar ecosystem which is rarely mentioned. SRDH is a data repository of all residents of a state just like the Central Identities Data Repository (CIDR), the core Aadhaar database which has all the biometrics and demographic information of all residents in India. Unlike the CIDR, the SRDH database is connected to the internet, but more importantly, it is not limited to basic information of residents and has 360-degree profiles of everyone.

Architecture of SRDH in the Aadhaar Ecosystem

Note: KYR = know your resident; UID = unique identity; EID = Enrolment ID

The SRDH projects were built with support from UIDAI – the demographic data of residents in the CIDR were made available to states to build 360-degree profiles using Aadhaar as a unique identifier by seeding it to every database. Basic demographic data termed as Know Your Resident (KYR) data is collected by states as they also act as registrars and collect information for Aadhaar. However, some states, using the same enrolment software, collect other details like caste, religion, occupation, marital status, PAN card, bank details and so on, terming them KYR+ data. While the number of parameters that the CIDR has about an individual is less than 10, the SRDH has every minute detail about a resident from his/her birth to death, terming them the “Golden Profile” of residents.

The reason often given for the need for an SRDH database is to improve governance and to remove ghost beneficiaries from the welfare system. But SRDH has been expanded further to link non-welfare system databases like policing, taxation, litigation and even personal health profiles. Presentations by bureaucrats suggesting the use of this database for surveillance are available in the public domain. In short, state governments are building their own state GRIDs on the lines of NATGRID, which will eventually get access to all these SRDH databases. Clearly, this is a case of mass surveillance with no checks and balances under the pretext of saving government money.

Thirteen states – Odisha, Tamil Nadu, Delhi, Telangana, Andhra Pradesh, Haryana, Kerala, Maharashtra, Madhya Pradesh, Karnataka, Punjab, Himachal Pradesh, Rajasthan – have already partially or fully built these databases. Some, especially Telangana and Andhra Pradesh, have carried out door-to-door people surveys to collect personal information of every resident in the state. This was done right after the bifurcation of erstwhile Andhra Pradesh and people, apprehensive about not being recognised as resident of either state and losing their livelihoods/welfare benefits, readily participated in these surveys and shared their personal information.

In Andhra Pradesh, the government went a step further to geolocate the entire family of residents by carrying out e-KYC (know your customer) of residents. This information is publicly available as part of the Andhra Pradesh Chief Minister Dashboard. Many Aadhaar portals publish masked Aadhaar numbers, expecting that nobody can use it because it is masked partially. However, with enough non-last four digits of an Aadhaar number, one can unmask the actual number with enough computing power as Aadhaar numbers follow a specific pattern generated using the verhoeff algorithm.

Clearly, a large state actor like China or Pakistan or non-state actors like private companies in the data business can exploit this and profile citizens based on the large information being collected. Information is power and in the twenty-first century information warfare is another vertical which nation states need to be worried about.

The national security implications of large-scale breaches of Aadhaar are enormous. It has already been established that 210 government websites have been publishing Aadhaar numbers along with other personal, financial information of individuals. A May 2017 report by the Bengaluru-based Centre for Internet and Society showed that just four websites were publishing as many as 130 million Aadhaar numbers and 100 million bank account details.

The recent breach of access to Aadhaar demographic details reported by the Tribune was from a redressal portal which central and state government authorities have official access to. There are many such portals that are part of SRDHs, giving every official access to the demographic details of every resident in the state and these portals are a larger problem than the one the Tribune wrote about as they have more than basic demographic information. Certain states also have access to biometrics as they are either collecting it partially for policing or as part of driver licence registrations, apart from direct access to retaining biometrics in cases where states act as enrollment registrars. The Aadhaar Handbook for Registrars clearly says: “Registrars may retain the biometric data collected from residents enrolled by them. However, the Registrar will have to exercise a fiduciary duty of care with respect to the data collected from residents and will be responsible for loss, unauthorized access to and misuse of data in their custody.”

What is even more worrying is that Aadhaar has become the gateway for corporate surveillance of individuals as well.

IndiaStack, a set of five Application Programming Interfaces (APIs) including the Aadhaar ecosystem and the unified payment interface (UPI), built, maintained and run by the volunteer group of iSPIRIT, supports this model. It reflects in the businesses which are part of the IndiaStack sandbox. For example, one of the startups, OnGrid, provides verification services to private companies hiring employees by collecting data of nearly every citizen’s criminal records, court records, university certificates and even tracks if you were fired in your previous job. This is an issue because an individual is being subject to constant surveillance with information generated by Aadhaar. There are numerous other similar startups like TrustID and IDfy, which are using Aadhaar to do similar profiling of citizens and their customers on the pretext of fraud detection.

The entire digital economy being planned with Aadhaar as the fulcrum centre is replicating the practices of the American financial and lending services industry, which has come under constant scrutiny by the United States Congress due to massive data breaches in 2017. In July 2017, hackers breached the security of a consumer credit reporting agency, Equifax, and stole personal and financial information of around 144 million American citizens. In another incident in December 2017, data of 120 million American citizens collected and sold by another credit scoring giant, Experian, was leaked.

Personal data of citizens is being forcibly collected to build a digital economy for India. While a digital economy is important for India, it needs be built on scientific and public data, respecting privacy, instead of sensitive personal information. Businesses focusing on space research can benefit more from data of Mangalyan than an individual's private data for targeted advertising. An economy built on personal data will hurt us in many anticipated and unanticipated ways. In a frequently asked question on the IndiaStack website, about whether there are enough safeguards if an Indian startup is breached, the volunteer team which built Aadhaar answers the law has enough provisions. The assumption here is that Aadhaar is following the law and respecting the rights of individuals; clearly there is disagreement about it in the form of the cases before the Supreme Court.

It is not just the surveillance aspects of Aadhaar which are problematic, the possibility of social engineering attacks and poor security practices by ecosystems partners is causing enough harm already. In Hyderabad, in November 2017, around Rs 40 lakh was stolen from individuals by creating bank accounts with Aadhaar cards found online and diverting subsidy amount given as direct benefit transfers. This is a clear case of identity fraud recorded by the Hyderabad Police. Then came the example of Airtel opening bank accounts of people who linked their mobile to their Aadhaar card, without their knowledge, as a result of which Rs 200 crore of subsidy amount of individuals flowed into these accounts.

With all the information breaches and security loopholes within the Aadhaar ecosystem, the UIDAI refuses to listen to the concerns of security researchers. It is yet to bring a formal policy for researchers to report security incidents securely. UIDAI’s approach has been to file first information reports against researchers and journalists for exposing flaws in the Aadhaar ecosystem. The approach of blanket denials and template answers is not helping anyone.

Surveillance is not always bad; it could help us find criminals and, in rare cases, some terrorists. But the cost of mass surveillance enabled by Aadhaar to a democratic society would be enormous and could lead to civil death with all of our rights being at the whim of the government. What India needs is targeted surveillance on the rich and powerful who take advantage of our society and not every common man without any reason.