Is Your Aadhaar Biometrics Safe? Firms Accused of Storing Biometrics and Using Them Illegally

The biggest fear regarding misuse of Aadhaar biometrics and security loopholes are becoming real.

Three firms are being probed for attempting unauthorised authentication and impersonation by using stored Aadhaar biometrics, reported The Times of India.

The paper reported that the Unique Identification Authority of India (UIDAI) has lodged a criminal complaint with the cyber cell of Delhi Police, saying it is a clear violation of the law.

"The firms are Axis Bank, Suvidhaa Infoserve and eMudhra. They have been served a 'notice for action' under Aadhaar regulations."

The firms have been accused of storing biometrics and using them illegally.

The fears of biometric security have been compounded as the government is sprinting towards the next phase of 'cashless India' and digitisation. They are preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money.

The proposed system of payments will use a person's biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

Outlook's Senior Associate Editor Arindam Mukherjee had in a clairvoyant article for the magazine raised the fears of biometrics being manipulated.

In the article, critics of Aadhaar and Aadhaar-based services raised the issue of privacy and security of biometric and personal data.

Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, "As long as Aadhaar-Enabled Payment Services encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud." Would you tell a shopkeeper your debit card's PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable Aadhaar Enabled Payment System PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, "In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure."

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn't get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices.

And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned. "Our concern with Aadhaar Pay is about the biometric component of the project," says Abraham. "Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card."

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. "In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints," says Ramanathan.