A series of potentially calamitous leaks in India leave as many as 130 million people at risk of fraud or worse after caches of biometric and other personal data became accessible online. That's according to a new report from the Bangalore-based Centre for Internet and Society (CIS), which details breaches at four national- and state-run databases, all of which are said to contain purportedly "uniquely-identifying" Aadhaar numbers.
Launched in 2009, the Aadhaar system is an ambitious, albeit flawed program aimed at assigning unique identity numbers, not only to Indian citizens, but everyone who resides and works in the country. It is the largest program of its kind in the world. The 12-digit Aadhaar codes are assigned and maintained in a central database by the Unique Identification Authority of India (UIDAI) and link to biometric data of fingerprint and iris scans combined.
For security purposes, since 2002, all US passports issued to international travellers at embassies and consulates around the world have contained biometric data, including a 10 fingerprint scan, contained in a microchip embedded in the back cover. In 2007, the law was extended to cover US citizens, and since at least 2013, so-called "e-passports" have been the standard. Australia has solely issued e-passports since 2005.
With a very different intention in mind, the Aadhaar system was created to employ biometrics as a means to ensure that Indian residents have access to the social safety net, including programs for welfare, health and education. But due to the sheer scale — again, the largest biometric project in history — the program has been fraught with controversy since day one. Since inception, more than 1.13 billion Aadhaar numbers have since been assigned, according to UIDAI data. (India has a population of roughly 1.32 billion.)
Former World Bank economist Salman Anees, a member of the Indian National Congress (INC), points to migrant labourers as an example of those the program is intended to help. The often carry no identification, he said, and therefore can rarely prove who they are when travelling from state to state. The purpose of the Aadhaar system, he said, is to provide every Indian with a "digital identity".
"At least, that was the original idea," adds Soz.
After the INC was battered in the 2014 general election, plans were put forth to expand the scope of the Aadhaar program, inflaming public concern over security and privacy. "Basically, you take this Aadhaar number and you start seeding different [government] databases," Soz says. "And that, in effect, creates this huge data structure that people are very uncomfortable with."
"In some ways," he continued, "what you have is this amazingly modern system with huge data collection potential — and of course, many positives can come from this, but in the wrong hands it can become a huge problem for India. At the same time, your legal framework, your regulatory framework, your policies and procedures are not there. People aren't aware of what their rights are. They have no idea what this thing can do."
One problem, Soz says, is that Aadhaar numbers are not always checked against a cardholder's fingerprints or iris scans in all cases, defeating its purpose entirely. When someone provides an Aadhaar number to prove their identity online or by phone, for example, their identities cannot adequately verified. In this way, Aadhaar numbers are not wholly unlike Social Security numbers in the United States. Were 130 million Social Security numbers to be leaked online, confidence in the ability to use that number to confirm an Americans' identities would be shaken, if not destroyed.
Last month, a central government database containing thousands of Aadhaar numbers — as well as dates of birth, addresses, and tax IDs (PAN) — reportedly leaked, exposing thousands of Indian residents to potential abuse. According to The Wire, the information, which was contained in Microsoft Excel spreadsheets, could be easily located on Google.
According to CIS, roughly 130-135 million Aadhaar numbers have now been exposed in this most recent leak. With the growing use of the numbers in areas such as insurance and banking, and without proper mechanisms in place to biometrically confirm the identities of cardholders in every case, the threat of financial fraud is pervasive. "All of these leaks are symptomatic of a significant and potentially irreversible privacy harm," the report says, noting that such incidents "create a ripe opportunity for financial fraud."
While Aadhaar is not mandatory everywhere, CIS says, the Indian government continues collecting information about the participants under various social programs. Inevitably, that information is combined with other databases containing even more sensitive data. As that happens, there's a heightened risk to those whose Aadhaar numbers have been compromised. How the Indian government will address its apparently inadequate security controls before fraud overwhelms the system remains unknown.