Recent cases have come to light that not only can fake biometrics be provided to create “ghost” Aadhaar numbers for non-existent people, but that biometrics of real people can also be stolen relatively easily.
This defeats the government’s stated purpose behind launching Aadhaar: to provide a foolproof and universal identification scheme using a person’s Aadhaar number and biometrics, i.e., fingerprints and iris scans.
The challenge with any identification scheme is how to ensure that the person presenting the identification is actually who she or he claims to be.
The government’s magic bullet was to use biometrics, which they claimed would provide a more trustworthy form of identification. So confident was the government with the use of biometrics that schemes were designed where biometrics alone would be used to authenticate a person without the need for any additional authentication information such as passwords. The government marketed the use of biometrics as the key enabler for providing online authentication services across India to “anyone, anywhere, anytime.”
The former Attorney General, Mukul Rastogi, who represented the UIDAI (the agency responsible for rolling out Aadhaar) in the Supreme Court, stated, “Aadhaar is the only foolproof method of an identity which cannot be faked. Biometrics can as yet not be faked.”
UIDAI CEO Ajay Bhushan Pandey has argued, “People should not even attempt to enrol twice. They will be caught very easily. They are unaware that they have given their biometrics.”
This reliance on biometrics is proving to be the Achilles’ heel of the programme, and may very well be its central weakness that can be used to impersonate individuals or in creating and using fake Aadhaar identities.
It is well-understood and demonstrated by hackers and security professionals the world over that the software for biometrics such as fingerprints, iris scans or facial recognition can be easily fooled by taking imprints or high-resolution images from even cell phones and then replaying these to the biometrics software.
In India, a number of cases are now coming to light showing how biometric information can be copied without hacking into the central repository of the UIDAI.
In UP last year, a case had come to light where a gang had hacked the secure ‘source code’ to access the Aadhaar enrolment application, and also cloned fingerprints of authorised officers by using gelatin gel, laser and silicon. This gang was then selling the software and the cloned fingerprints of authorised officers for Rs 5,000 to illegal operators, who could then create “valid” Aadhaar numbers for real and fictitious people at will.
In another case that came to light in the past few days, a couple of ration shop owners operating out of Surat were caught using software that contained ration card numbers, Aadhaar numbers and fingerprints of PDS beneficiaries. They were then using this for diverting food grains that were due to the PDS beneficiaries and then selling them in the black market. The police believe that a larger gang was involved in selling such software and fingerprints to people interested in committing such fraud.
What these cases show is the systemic design problem at the heart of Aadhaar. That stolen biometrics could be used to impersonate people to steal benefits due to them, indulge in money laundering in their name or even steal money from their bank accounts.
Also, the money stolen in this fashion could be sent to accounts created using ghost Aadhaar numbers so that even after the fraud is detected the criminals involved would remain undetected.
Effectively, what the government has done by aggressively pushing Aadhaar is, it has created a false sense of security and belief in the infallibility of Aadhaar.
At the same time it has created grave security risks not just for the vast majority of our population, it has also created systemic risks for critical institutions such as our banks, telecom operators and government agencies involved in delivery of critical services to the most vulnerable of our people.