Aadhaar Safety

Aadhaar Safety is a Deccan Chronicle expert roundtable published on 26 March 2018. The article responds to Attorney General K.K. Venugopal’s Supreme Court submission that Aadhaar data remains secure behind 13-foot-high, 5-foot-thick walls. Technology and privacy experts, including Sunil Abraham, critique this approach and discuss proper digital security measures for protecting biometric databases.

Article Details
Full Text
Context and Background
External Link

Article Details

📰 Published in:: Deccan Chronicle
📅 Date:: 26 March 2018
📄 Type:: Expert Roundtable
📰 Newspaper Link:: Read Online

Full Text

We get experts to give their take on a current issue each week and lend their perspective to a much-discussed topic.

Attorney General K. K. Venugopal claiming before a five-judge constitutional Bench of the Supreme Court that Aadhaar data remains safe and secure behind a complex with 13-ft high and 5-ft thick walls has resulted in a series of trolls and hilarious responses. We ask tech experts if this is the proper way to ensure safety of digital data and their opinions on alternatives, if any, to keep public data safe.

'Safety claims are bogus'
Hrishikesh Bhaskaran, Privacy Activist
Aadhaar safety claims are bogus. It is vulnerable and its vulnerabilities were pointed out by many information security experts in the past. If someone says that a 13-ft high 5-ft thick wall complex is protecting your digital data (which is well connected to the outside network) be sure that a village is missing its idiot. Digital data leak almost always happens through the network. Multiple cases were reported about the Aadhaar data leak (The Tribune report for example). Many government sites are leaking Aadhaar details of citizens and are available publicly through a simple Google search. (Read as the data are already in public without anyone hacking into it).

The system is defective by design and is maintained by mediocre talents and technology. I feel that their claims about the huge walled protection are a tactic to divert discussion on the human rights angle because otherwise, the government will have no choice but to scrap the whole Aadhaar idea. The only way to protect the personal data of citizens is to start afresh.

'Multi-level security assumes added significance'
Jaideep Mehta, CEO of VCCircle.com
Physical security is an important component in the overall security architecture. In addition there is a need to protect the data with multiple levels of cyber security including data encryption, bio-metric driven access, protection against malware and so on. Multi-dimensional security assumes added significance as this is a nationally important database.

'Tightening system, or line of human command more important'
Ershad Kaleebullah, Technology Editor
There are right ways to secure digital data. I know of solutions at the individual user level. But for something of Aadhaar's size the security of digital data will obviously happen at a much, much larger scale. All the resident data and raw biometrics are stored in UIDAI's datacentre and even fortifying it with the world's thickest and tallest wall is not going to protect them. I'm really not sure of any foolproof data security systems in the world at that scale. Tightening the system or the line of human command is more important. If Snowden can walk out of NSA with highly confidential information on a lowly thumb drive, Aadhaar data can be easily hacked. If I have to be blunt here, Indians can't keep a secret to save their lives.

'Your data security is in your hands, always be cautious'
Viraj Kumar Pratapwant, Senior Software Design Engineer
First off, no hacker is going to run into a data center and rob data disks. The idea to construct high and thick walls will make anyone chuckle. Speaking about alternatives, let's talk about data. Basically there are two types of data: Data in Motion and Data at Rest. With the right set of firewalls guarding these two kinds will ensure some amount of security. Sensitive and vital information should always be encrypted and kept out of reach for any external source to access this data. Having multiple steps of verification could help the user safeguard his authenticity. Your data and privacy are the most important factor, they should only be shared with trusted sources and with your consent. A lot of data are going digital and soon our lives will completely rely on digital data. The government should enforce strict vigilance to public data. They should make sure that the consumers should follow all the security guidelines and must prove that the data will be saved responsibly. Any compromise caused by any sources should be penalised by law. Lastly, your data security is in your hands, always be cautious about who and where you are giving the data.

Sunil Abraham, Executive Director at Centre for Internet and Society
Encryption, regardless of the key length, is only useful when citizens have absolute control of the private key. If the UIDAI had gone with smart cards my private key would have only been stored on my smart card. Even though the data is encrypted in the CIDR — the deduplication software needs to compare the bio metric of the person getting enrolled with the unencrypted bio metric of others already in the database. This means that the engineer who controls the software has access to the whole bio metric database. If a foreign state installs a Trojan on the engineer's system it can get into the CIDR. The deduplication software is a proprietary black box software which is owned by a foreign corporation. We don't know what hidden capabilities are there in this software.

Context and Background

This roundtable appeared during constitutional hearings before a five-judge Supreme Court bench examining the legality of Aadhaar, India’s biometric identification system. Attorney General K.K. Venugopal’s argument that physical infrastructure—specifically, 13-foot-high walls with 5-foot thickness—protected the database prompted widespread ridicule online, exposing fundamental misunderstandings about digital security threats.

Just weeks earlier, The Tribune had published an investigation revealing how reporters purchased unauthorised access to Aadhaar data for Rs 500 through WhatsApp agents. The breach demonstrated that data leaked not through physical intrusion but via compromised credentials and insider access—precisely the vulnerabilities experts had long warned about. Rather than addressing these systemic flaws, UIDAI controversially filed an FIR against the journalist who exposed the problem.

The experts assembled here articulated critical technical objections. Abraham’s analysis focused on architectural vulnerabilities: the Central Identities Data Repository required deduplication software to compare biometrics in unencrypted form, meaning engineers operating the system possessed unrestricted access to the entire database. This software, supplied by foreign vendors, remained a proprietary black box whose hidden capabilities were unknown. His advocacy for smart cards would have given citizens control over private keys, fundamentally altering the security model.

Other contributors emphasised different dimensions of the problem. Bhaskaran condemned Aadhaar as “defective by design,” noting that multiple government websites had inadvertently published Aadhaar numbers publicly, making data accessible through simple Google searches without any hacking required. Kaleebullah invoked the Snowden precedent, observing that insider threats posed greater risks than external attacks for databases of this scale.

The constitutional challenge culminated in a September 2018 Supreme Court judgment that upheld Aadhaar’s validity whilst imposing significant restrictions on mandatory linkage and private sector use. However, fundamental security concerns raised in this roundtable—about centralised biometric databases, proprietary software, inadequate oversight, and architectural vulnerabilities—remained largely unaddressed in the final ruling.