Whose Aadhaar is it Anyway? – A Data Security Perspective

Data Security
Whose Aadhaar is it Anyway?

A few days ago, I was trying to transact on one of the many online appliance rental sites. It required a staggering amount of documentation for even the cheapest appliance. Among the many documents required was a copy of the Aadhaar card, a scanned color copy, nothing less. Verification, I was told, would take at least a week.

This got me thinking about all the information that goes into my Aadhaar card and whether it was wise to part with it, recklessly uploading it on possibly unreliable sites.

The government of India established the Unique Identification Authority of India (UIDAI) to issue unique IDs to citizens with the intention of providing an easy and cost-effective system of identity verification and authentication.

You provide:

  • Biometric information including facial photographs, fingerprints and iris scans.
  • Demographic information such as your name, DOB, and gender. You also provide demographic information such as your address, mobile number, email ID, and your current relationship status.
  • Along with demographic and biometric information, you also provide informed consent for the sharing of this information when required.

The de-duplication process ensures that you can enroll only once and have only one UID issued. When you enroll, your information is first verified against existing information in the database. If you try to enroll again, the previous record is updated.

The information is stored in the Central Identities Data Repository (CIDR) that exists in one or more locations. When a service provider seeks to verify your identity, the details they provide are verified against information in the CIDR. The authentication service is online and in real time.

The authentication service is provided through two data centers, one in Hebbal and one in Manesar, India . The open source architecture ensures there is no dependence on specific computer hardware, OS, or vendor technologies. It can already handle huge volumes of data traffic and is scalable.

So, once we provide all this information along with signed consent to share it, is our data safe?

As it was planned, other than the UIDAI, nobody has access to data in the CIDR. When an Aadhaar-based authentication is sought, the authentication service simply verifies the data provided by the authentication seeker with the data in the CIDR and returns a YES/NO answer indicating a match or no match. The data itself is not exposed. An authentication seeker must provide the UID or Aadhaar number and any piece of either biometric or demographic information, or an OTP. The kind of information sent depends on the authentication device of the authentication seeker. So, when the passport office verifies your identity, they take your Aadhaar number and your fingerprint to verify your identity. When you file your income tax returns, your identity is verified against your Aadhaar number and an OTP sent to the mobile number linked to your Aadhaar number.

The UIDAI has several regulations in place to ensure data security at all stages:

  • An authentication seeker must ensure that the information is encrypted during capture and that it is not sent unencrypted over a network.
  • This information must not be stored unless for buffered authentication and even then, only for a short period.
  • The information must not be stored on a permanent storage device or database.
  • If the capture of this information requires an operator, then operator identity must be verified.
  • There must be adequate levels of logging at all stages.
  • Authentication seekers must have our consent before they can validate our information with information in the CIDR. So ideally, verification against the information collected from us cannot happen without our prior consent.

While there might be some gaps, the framework of a secure system seems to be in place. If the information in the repository cannot be accessed by unauthorized individuals, if the data that is collected from us by an authentication seeker must be encrypted at all times, not stored anywhere, and the verification response is also encrypted, then this data should be secure. This should be a secure method of authentication.

Yet there have been known instances of data leaks and misuse of personal data. This brings me back to the online site I mentioned earlier. I backed out based on the sheer amount of personal information they requested. Was it even necessary? Recklessly uploading personal information or copies of your Aadhaar card that contain all your personal information, when it might not even be necessary. When you have no way of knowing if they are authorized Aadhaar authentication users. Could that be a potential leak?

Personal information that we also store in the CIDR might be misused, but the source of the misuse might not be the CIDR.

Maybe we should be more careful about when and with whom we choose to share this data. Do our bit to keep our personal data safe.