No Operator Can Make Or Update Aadhaar Unless Resident Himself Gives His Biometric: UIDAI On Software Hacking

The Unique Identification Authority of India (UIDAI), on September 11 posted a series of 24 tweets in which they dismissed a news report about the Aadhaar Enrolment Software being allegedly hacked as incorrect and irresponsible. It also said, “The claims lack substance and are baseless. UIDAI further said that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted.”

#PressStatement
UIDAI hereby dismisses a news report appearing in social and online media about Aadhaar Enrolment Software being allegedly hacked as completely incorrect and irresponsible. 1/n

— Aadhaar (@UIDAI) September 11, 2018

It further added, “No operator can make or update Aadhaar unless resident himself give his biometric. Any enrolment or update request is processed only after biometrics of the operator is authenticated and resident’s biometrics is de-duplicated at the backend of UIDAI system.”

What news reports are saying?

While Aadhaar data security has always been the bone of contention since the inception of its framework back in 2009, UIDAI has found itself placed in a fresh controversy. UIDAI’s 24-part clarification comes after HuffPost India published an article claiming that they have access to a software patch which disables critical security features in the Aadhaar database, allowing hackers to generate unauthorised Aadhaar numbers. As per the report, the software patch is freely available for a price of Rs 2,500 only. Moreover, the report also said that the patch was analysed by three internationally reputed experts and two Indian analysts.

The investigative report by HuffPost India claims that the software patch compromises Aadhaar enrolment software on three fronts – users can bypass the need for biometric authentication, it disables the software’s inbuilt GPS system and finally, it reduces the sensitivity of the iris recognition feature.

The Aadhaar-issuing body clarified that it matches all the biometrics which include both iris and 10 fingerprints of the resident enrolling for Aadhaar with the biometrics of all other Aadhaar holders before issuing a new Aadhaar.

UIDAI claims that their system is robust and stringent

Abhiraj Krishna, a lawyer who deals with Aadhaar related matter for private entities, while speaking to The Logical Indian said that no Aadhaar-related authentication is completed without a biometric check. He further explained and while the news report talks of generating unauthorised Aadhaar numbers, it is unclear from the report as to whether such fake numbers can also get authenticated. Until and unless, the 12-digit number is authenticated (matched with biometrics) such fake numbers are unlikely to create ghost beneficiaries for Governmental schemes, he added. He said that UIDAI (from a legal and regulatory perspective) has built-in end-to-end security mechanisms in place and that the regulations are fairly robust.

Besides, he added, that biometric authentication is only permitted through registered devices that comply with technical requirements specified by the governing body – UIDAI. So, any potential security breach is required to be analysed holistically.

Refuting HuffPost’s claims, UIDAI clarified that enrolments operators, if found flouting prescribed norms are blacklisted and fined. Moreover, it added, “It is because of this stringent and robust system that as on date more than 50,000 operators have been blacklisted.”

It added, “People are also advised to approach only the authorised Aadhaar enrolment centres in bank branches, post offices and Government offices for their enrolment/updation.”

Earlier instances of Aadhaar data breach

The issue of Aadhaar data being leaked gained notoriety when The Tribune in their investigative reportage allegedly found out that anyone can gain access to billions of Aadhaar details just by paying Rs 500 to an anonymous seller over WhatsApp. Other news reports over the years have also highlighted the problem and loopholes in Aadhaar’s security measure in keeping the information private. Recently, Telecom Regulatory Authority of India (TRAI) Chairman and a former CEO of UIDAI, R S Sharma, in a bid to quash a twitter users’ challenge that Aadhaar data is insecure, the former UIDAI Chairman published his Aadhaar no. on July 28. In the tweet, which probably flouted UIDAI norms as well, Sharma asked the twitter user to give one concrete example of the harm that could be done to him.

Also Read: UP: Using ‘Fake’ Aadhaar Cards, 1.86 Lakh Transactions Done To Steal 2.2 Lakh Tonnes Of PDS Supply