How Safe Is Your Biometric Data? The Potential Pitfalls of Aadhaar
Last week, the government managed to pass the Finance Bill, which made Aadhaar mandatory for services from getting a SIM card to filing taxes. Yes, the same Aadhaar that makes a database of citizens’ fingerprints and iris scans, and that until recently was optional.
Aadhaar is on it’s way to becoming the only identity card in the future. But, a major component is biometric identification technology, and technology can always fail. What happens if a software cannot recognise you? Or what if you don’t have biometrics that can be scanned?
With over a billion Indians possessing an Aadhaar card in 2017, The Quint spoke to security experts about the potential pitfalls of biometric scanning.
Does Aadhaar Universally Incorporate?
For enrolling to get an Aadhaar number, Unique Identification Authority of India (UIDAI) laid down three parameters on scanning biometrics – iris, fingerprints and face. However, these are only for the ages 5 years and over.
While people with visual disabilities were incorporated in the initial sample size, that isn’t the only kind of disability that exists.
Are these people being taken care of by the government?
Ever-Changing Rules for Biometric Scans
There are two categories of people for whom Aadhaar rules are changed – the disabled and children.
For those with vision impairment, there is introducer-based enrolment and for those without fingerprints, iris scans are taken.
The Quint spoke to Kiran Jonnalagadda, the founder of HasGeek and trustee of Internet Freedom Foundation (IFF) about introducer-based enrolment.
IFF was born out of savetheinternet.in, and works on issues of net neutrality, freedom of expression and privacy.
When a person cannot prove their address or identity, introducer-based enrolment is used. There are multiple introducers in every geographic area, and belong to the government and other agencies like civil society groups and banks.
“For people with handicaps, UIDAI has taken care to give people an Aadhaar number with just one of the biometric scans,” says Jonnalagadda.
Children and Aadhaar
For children under 5 years, facial scans along with ID proofs of their parents/guardians will be taken. The proofs include their Aadhaar/ID cards, their relationship with the child, address, and capturing of their biometric information. But this information needs to be updated after the child turns 15.
Shortcomings of Aadhaar
When asked if there have been cases of people not getting their face recognised due to any facial reconstruction surgery done after getting their Aadhaar number, Jonalgadda said he wasn’t aware of any such instance.
Is Security Compromised With Just One Scan?
It’s clear that Aadhaar cards can be made with either just an iris scan or fingerprints.
The Quint spoke to Nikhil Pahwa, the co-founder of savetheinternet.in to ask if taking both scans does mean more security.
However, according to Jonnalagadda, the two scans are for backup and for additional security to the database. He also said that finger scanners are more widely used because iris scanners are much more expensive.
Dual-Scans to Profile Citizens or Prevent Number’s Misuse?
Even if both the scans are being taken to strengthen the database, there’s always more to a story than meets the eye. Is the government’s ‘extensive database’ just profiling citizens, much like criminals, by taking iris scans and fingerprints?
Pahwa said, “(taking both scans) is a clear issue of profiling.”
However, Jonnalagadda was of a different view.
But if only one biometric were to be captured, there would be a section of people unable to avail of it – either visually impaired people who couldn’t take iris scans, or people whose fingerprints didn’t work for fingerprint scans – which is why both are taken.
Will Biometric Theft Become More Common?
Sameer Kochhar, entrepreneur and president of the think tank Skoch, recently pointed out in a video how simple it is to illegally store someone’s fingerprints, for which an FIR was registered against him.
In February, UIDAI even lodged criminal complaints against Axis Bank, Suvidha Infoserve, eMudhra for illegally storing and using Aadhaar data to impersonate people and carry out transactions.
Aadhaar is moving towards becoming the one, all-encompassing digital identity. How common will biometric theft be, wherein a person’s fingerprints or iris scans are stolen?
Pahwa said that when all the identities are linked and a hacker gets access to them, all the digital identities of a person are at stake.
He said that the one way of ensuring theft doesn’t occur is to “not have a single-point that connects all your identity to a database.”
“A Risk Not to Fret About Yet”
But Jonnalagadda doesn’t think biometric theft is to be worried about, yet.
How does Replay-Attack Differ from Biometric Theft?
In the former, the person scans their finger/iris at least once. It can be captured by the scanner and stored to use later, without the person being present.
For the latter, it’s done by hackers, without the person ever needing to give their biometric scan anywhere.
For this reason, it is not advisable to link all your data or have it all stored in the same place, as Pahwa explained.
With these obvious shortcomings of the Aadhaar, how safe is your identity?
Join us on WhatsApp. Type “JOIN” and send to 9910181818.
(The Quint is now on WhatsApp. To receive handpicked stories on topics you care about, subscribe to our WhatsApp services. Just go to TheQuint.com/WhatsApp and hit the Subscribe button.)