Aadhaar, India’s massive biometric database, is facing new allegations of compromise after local journalists reported paying the equivalent of $10 in Indian rupees for full administrative access.
With nearly 1.2 billion assigned numbers, the Aadhaar program, launched in 2009, is the largest national database of people in the world. The unique 12-digit codes assigned to citizens and other Indian residents are maintained by the Unique Identification Authority (UIDAI) and are linked to a wealth of personal information, including biometric data such as fingerprints and iris scans.
The program was intended to give Indian residents easy access to social programs for healthcare, education, and general welfare; however, the program began rapidly expanding in 2014, not long after the Indian National Congress (INC) performed terribly in parliamentary elections. The government began seeding Aadhaar numbers into numerous government databases and, as BuzzFeed’s Pranav Dixit reports, major tech companies such as Amazon and Uber have sought access for their own purposes.
Aadhaar has suffered breaches before; Gizmodo reported 130 million Indian residents at risk after a leak in biometric system data last spring. But fresh reports from local sources, highlighted by Dixit on Thursday, indicate security around the system may be even worse than imagined.
Journalists at local paper The Tribune report that for Rs 500 (roughly $US8 ($10)), they were able to purchase a username and password that gave them full access to the Aadhaar systems from a man they contacted using WhatsApp. Needless to say, UIDAI officials were concerned and, according to The Tribune, authorities considered this a “major national security breach.”
A second report, published by Indian news website The Quint, detailed a security loophole that gave anyone with administrative access the ability to grant anyone else full access. “Let’s say [Person X] gives access to person Y and person Z,” the site explained: “Persons Y and Z can then log onto the Aadhaar portal and add Persons A, B, C, and so on.” With these privileges, users would have access to information like names, addresses, dates of birth, parents’ names, gender, mobile numbers, language – but not isis scans or fingerprint data.
Naturally, most of the controversy around Aadhaar is focused on the potential for privacy invasion, but identity theft is also a major concern. In an interview last year, an INC member told Gizmodo that while the system itself is “amazingly modern” and, in the right hands, capable of much good, noticeably absent are privacy laws and the regulatory framework one would expect to follow such a massive data collection effort.
What’s more, a high-tech system designed to pair uniquely assigned numbers with biometric data was turning — due to a lack of biometric sensors around the country – into something more akin to the Social Security numbers used in the United States, which is, of course, very problematic. Basically, Aadhaar numbers are not often checked against the fingerprints or iris scans of the cardholders, which makes these newly reported security lapses in the system a truly significant event.
Last year, a breach at four national- and state-run databases leaked as many as 130-135 million Aadhaar numbers. And this was a month after a spreadsheet, which could found using Google, leaked containing thousands of numbers, addresses, and tax ID numbers.