In a landmark ruling last August, the Right to Privacy became the seventh Fundamental Right guaranteed by the Constitution of India. Before the ink was dry on the decision, observers such as myself wondered how the new Aadhaar biometric identification system could possibly be recalibrated to align with it.
In fact, Aadhaar had been central to the discussion about privacy that led to the ruling, as had the Facebook-owned WhatsApp messenger. As Additional Solicitor-General P.S. Narasimha told the Supreme Court in July, "My individual personal data is intimate to me. It is an integral part of my right to lead a life with dignity." By then, over a billion Indian residents had given their most individually-identifying information to government agency UIDAI.
Those who worried about WhatsApp and Aadhaar at the time were on the right track, but they could not have known the full depths of the problem. Who would have guessed that anyone's Aadhaar data would soon be bought and sold cheaply over WhatsApp? Last year, there were signs that Aadhaar data was being mishandled, and not necessarily by UIDAI. Parallel databases that stored Aadhaar data and used it for identification were recklessly publishing information.
It's well-known that UIDAI doesn't own up to its mistakes, instead threatening reporters who reveal vulnerabilities. UIDAI's web-based portal still has major problems, and it was just revealed this week that any administrator can give anyone else in the world full access to the database backend, often for a price. Not only are a variety of questionable third-party apps available through Google Play that request Aadhaar data, but UIDAI's official mAadhaar app has serious problems.
In an effort to understand these issues more thoroughly, I contacted Baptiste Robert, a French security researcher who goes by the Mr. Robot-inspired pseudonym - Elliot Alderson. Though Baptiste's work exposing scary flaws in the mAadhaar app has prompted no official response, it has caught the attention of cyber- security superstars like Edward Snowden and Troy Hunt.
As Baptiste said in an e-mail, "UIDAI didn't contact me. The app is still not updated. Regarding how they used the Play store, I'm pretty sure they lost the release keys and so are unable to update the app."
Such incompetency by UIDAI is plausible, given the basic mistakes made in the mAadhaar app's design. Mobile apps are notoriously difficult to secure, and my own digging into app privacy continues to remind me that even 'anonymised' or 'masked' information may identify individuals when databases are correlated. mAadhaar sidesteps this issue with a bizarre twist: the local
database on each phone is completely open to attack. This database, which contains a user ID, Aadhaar ID, name, date of birth, gender, address, and photo, supposedly uses a 'random' password. That database password is the exact same for everyone who installs the app, allowing anyone who has physical access (and, potentially, remote access) to your
phone to access the data within seconds. It doesn't stop there. The password to log into the mAadhaar app is also easily bypassed in a few seconds and there's more than one method to do it.
Once the app is running, the password prompt can even be bypassed by force quitting. The problems continue to mount the deeper you look. Baptiste warns users,"The best move is to not install this app. This app is pretty insecure and has not been designed to keep sensitive information."
Notably, there's a debug feature that was left turned on when mAadhaar was published in Google Play, allowing an attacker to repackage imposter versions of the app that keep unencrypted log files on the phone. Such logs could then be grabbed by an attacker with physical access to the device or even remotely through the Internet.
Scam versions of well-known apps propagate quickly, as we saw when Google Play was flooded with fakes of Snowden's Haven app. There doesn't seem to be any initiative on UIDAI's part to crack down on impersonators, and there's also a thriving market of advertising trackers inside third-party Aadhaar apps. Any massive database system will have security holes, and UIDAI's bold attempt to store the personal information and biometrics of 1.3 billion people is no different. On the surface, it might seem that strong centralized control of Aadhaar's systems might have avoided any data breaches or mishandling of information. Aadhaar's problems can't be blamed on government outsiders, however, while UIDAI cosies up so closely with private firms and has even formed a cottage industry of Aadhaar-linked start-ups.
Whenever a security researcher looks at an official government Aadhaar app, there are blatant privacy problems and sloppy cyber-security, such as sending data over the Internet unencrypted.
To compound this, web portals linked to Aadhaar are left open for exploitation. "I managed to have a total access to the website of aadhaarapi.com," says Baptiste, "due to a basic issue in their WordPress installation."
The official response to these problems is, consistently, misdirection or outright denial. Indians are supposed to take comfort that CEO of UIDAI Ajay Bhushan Pandey has 'sleepless nights' over hacking threats while Aadhaar data is 'fully safe and secure with highest encryption'.
Pandey was in full damage-control mode during a special question and answer session on Data Privacy Day, adding his voice to the government agency's long denials of any data breach.
Social media is increasingly a battleground for governments attempting to suppress the voice of their people. If the Indian government is engaged in automated campaigns to quiet criticism of Aadhaar, it is doing a clumsy job. A small army of automated bot accounts sends the exact same tweets under the hashtag #AadhaarMythBuster, though that tag may soon be hijacked by
Legal debates about Aadhaar continue to hinge on national defence and public safety questions, and the Supreme Court has just stated that in the face of 'terrorism and money-laundering... a balance between state interest and citizens' privacy right has to be maintained.' Talk of such a 'balance' is a distraction from the legitimate grievances of Indians who have had their Right to Privacy violated by the invasive biometric identification program.
The first step toward justice is admitting UIDAI's cyber-security mistakes. Given the severity of Aadhaar's privacy problems, it's quite likely that mountains of Aadhaar data are circulating on black markets - whether that means thousands, millions, or billions of profiles is impossible to say. As experts have warned, "Thanks to Aadhaar, for the first time in the history of India, there is now a readily available single target for cyber criminals...attacking UIDAI data can potentially cripple Indian businesses and administration in ways that were inconceivable a few years ago. The loss to the economy and citizens in case of such an attack is bound to be incalculable."
Perhaps it's time to stop the bleeding, put an end to the massive identification project, and take the Constitution of India seriously.
Sean O'Brien is a cyber-security researcher and Visiting Fellow at YalePrivacyLab, an initiative of the Information Society Project at Yale Law School.