Premise
Aadhaar is a once-in-national-history opportunity to make government – and private – services efficient and transparent. For the first time, the country is close to having a universal, digital, accessible system of authentication and authorization. It is a system for any Indian to say ‘I – and only I – am me’, and ‘I – and only I – give my assent’. It is lightweight, fast and non-repudiable (I cannot say ‘that wasn’t me’). Finally, it is a platform: there is a trust-hierarchy-based system for entities public and private to build services and applications that use Aadhaar. It is vastly superior to the (much older) United States Social Security Number system. It is as capable as, and in many critical ways better suited to India than Estonia’s E-Estonia national ID system.
For all its future promises and present benefits, Aadhaar has received plenty of bad press. Some of it has been accurate, most of it not. All of it has called for the dismantling of the Aadhaar/UIDAI system and the end of a universal ID. In terms of opportunity cost this would be much worse than the decades-long economic isolation India imposed on itself until the 1990s.
I think we should take a look at some of Aadhaar’s design flaws. We should also be clear about people’s misconceptions about how Aadhaar works. With this, we will not only be able to propose concrete ways to fix these issues but we will also discover new opportunities for transparency, efficiency and – importantly – privacy.
The chief issues with Aadhaar
The four most important ones seem to be
- A lack of understanding of how Aadhaar identify verification works
- Leakage of personally identifiable information (PII) through third parties
- Security of Aadhaar + OTP for remote authentication
- Potential for misuse of Aadhaar by the Government for surveillance
Dealing with these issues
1. Entities don’t understand how Aadhaar asked identity verification works
I wrote a couple of blog posts previously about this here and here.
The summary is the following: Aadhaar was designed to be a digital identity system for authentication and authorization. It was not designed to be a photo-ID card like the EPIC (voter-ID card) or PAN card or a drivers’ license. The UIDAI has repeatedly and widely said that an Aadhaar card downloaded from its website and printed is about as ‘valid’ as the glossy-paper ID card it first sends you.
The only two ways to prove your identity using Aadhaar are to state your Aadhaar number and then have your fingerprint or iris scanned – or in some cases, match an OTP received on your Aadhaar-registered mobile phone.
Possession of an Aadhaar card means nothing. You can mock-up a hi-fidelity Aadhaar card with your name, photograph and another person’s Aadhaar number (complete with bar code representation), but it counts for nothing unless you also have identical fingerprints.
The government needs a massive ubiquitous education campaign about this, urgently, to calm concerns about Aadhaar based identity theft. It is only a concern because an Aadhaar card is commonly – erroneously – treated like a photo-ID card for proof of identity, and which is why the leakages of Aadhaar numbers are thought to be such a problem.
2. People’s personally identifiable Aadhaar information leaks when third party systems are compromised
As we have seen, merely knowing a person’s Aadhaar number is not a problem by itself. It’s sensitive data but not secret. UIDAI’s myths/facts PDF draws an analogy with your bank account number, which is present on your cheques. Your PAN number is another example.
One problem with your Aadhaar number being publicly known is when the possession of an Aadhaar card itself is – quite mistakenly – taken as proof of identity by authenticating entities (as we’ve seen in the previous section).
The second, other, problem is leakage of personal data – gender, age, in many case data of birth, physical address, email address and mobile number – from the databases of third parties. This is either a result of the entity’s databases being accessed from outside, or copied by an insider. This data is harmful when publicly known.
Nandan has often said that the canonical Aadhaar data is encrypted at rest and in motion (i.e. when stored on UIDAI servers or accessed via the Aadhaar APIs) and therefore secure. This is true, but the problem is that the UIDAI allows specific entities – either a registered KYC Service Agency or KYC User Agency (KSA and KUA) – to receive the data above (plus the on-record photograph of the person) in response to an eKYC request. Data protection policies and enforcement at these third parties are what is compromised.
The result is that people have trusted the Government with their data, the Government has let third parties – whether public or private entities – make a copy of this data without control over its security at the third party, and now that data has been leaked. Hence the angst.
To put an end to this, we need to re-think KYC from the ground up:
Until now, entities that have been required to perform KYC have maintained proof of identity and address in order for law enforcement to identify, track and locate suspects and criminals. If my Airtel number is found in the call logs of a criminal’s/terroist’s phone, Airtel should be able to provide the police with my name, photograph and address. It’s the same with a bank/other financial serivces in case of say financial fraud.
However, consider this: if these entities have my Aadhaar number, verified via a fingerprint or iris scan, do they also need to have my name, address, email, gender, date of birth (as from my Aadhaar) duplicated on their records? Airtel could just as well provide the police with my Aadhaar number. The police should be among the few agencies to be able to reverse-lookup my personally identifiable data from my Aadhaar number, and that too in a restricted and carefully controlled manner.
We ought not to confuse the company collecting data for its customer profile with data collected for KYC. As things stand today, data received via the eKYC request to UIDAI is used to fill out the customer profile. If and when this customer profile data is leaked, by extension the customer’s Aadhaar data is too.
Companies shoudn’t be using one to populate the other and the simplest way to ensure that is to stop sending them Aadhaar data. An Aadhaar eKYC request can then resembe an Aadhaar authentication request. If the biometric data matches the Aadhaar number, UIDAI sends back ‘Yes’ with a token that indicates the Aadhaar number on record has been verified.
The company can separately have the customer fill out a signup form. The customer should be free to provide whatever information they feel is appropriate here. An office address instead of a home address, an email address set up specifically for commercial purposes or a phone number maintained for such – the company should be able to get in touch with you the way you want. Leave the date of birth and gender blank if so desired: neither does the company have an inherent right to know these details about you; you pay them in return for the service (either monetarily, or by making the data created through your use of the service commercially available, or both), nor should the company be allowed to refuse service if the customer declines to provide these details.
This is customer privacy the way it should be – a clear separation between data required for law enforcement and that requested for commercial purposes. The company’s singular responsiblity, then, is to maintain a ‘verified’ token for every single customer.
Closely related to this is the Who Will Watch The Watchmen problem and concerns about misuse of Aadhaar data for state surveillance/vendetta. Let’s look at this in its own section later.
3. The security of Aadhaar + OTP for remote authentication
Aadhaar + a mobile number OTP is vulnerable to the Dead Grandfather problem; a person could sign up as their dead grandfather if they know the latter’s Aadhaar number and if they have access to their phone; not at all uncommon. So while Aadhaar + biometric authetication is sufficient to, say, open a bank account, Aadhaar + OTP is not: the RBI rightly requires banks to perform in-person verification by getting a person’s ‘wet signature’ on a form to be then placed on record.
The downside to this is that a ground-up digital process still requires a physical step: the customer and a bank representative must physically meet to either authenticate biometrically or collect a signature. As of 2017 some banks have pushed the envelope with verification via a video call, or a photo of the customer holding the day’s newspaper, but both of these are clunky because they attempt to simulate an in-person meeting.
Here I think India could learn from Estonia’s famed electronic national ID.
From 2002 every Estonian resident has been issued a national ID and now a Chip-and-PIN card. There are two PINs: one for authentication and the other to authorize a transaction. Coverage is 100%, the vast majority of government services use this electronic ID, including for voting in national elections. Now this worked well in the PC era in a country with near-100% computer availability: you plugged the card into a USB holder; navigated to a website that authenticated using the national ID, then used the a browser based plugin to input your PIN and you were in.
For mobile-based authentication and authorization, the country issued special mobile SIM cards with a SIM based app to ask for and capture these PINs (Mobiil-ID). This works on nearly any mobile phone – dumbphones or featurephones. The process closely resembles chip and PIN: the web-based or physical service asking for authentication requests the national ID system to prompt the user for their PIN. The SIM-based application pops up the prompt on the mobile phone, the user enters the PIN and the assent is sent back to the service.
This is most definitely something the government should mandate and enforce, in the same way it forced mobile phone manufacturers to build in SOS signalling capabilities.
This mechanism, whether using the chip-and-PIN national ID card or the SIM, is essentially two-factor authentication. One of the factors is something you have (in this case, the smart-card or the mobile phone with the SIM) and something you know (in this case the PIN). Knowing a person’s national ID and only one of the two factors is insufficient for a thief to authenticate (or authorise); they must both possess the card/phone and know the PIN(s). This is unlike Aadhaar + OTP, where as we saw, just knowing a person’s Aadhaar number (which is not secret) and being able to read the OTP is enough.
For what it’s worth, a couple of years ago Estonia introduced a complementary app-based system (‘Smart-ID’) with the same capabilities as Mobiil-ID. This is an iOS and Android app instead of a SIM-based app and can therefore send rich notifications to prompt for PINs. The resident registers their national ID and enters & verifies their PINs once in the app to ‘bind’ that app install to their ID. Subsequent requestes by services for authentication and authorization send notifications, in response to which the resident enters their PIN.
UIDAI can tweak the Aadhaar system, APIs and the m-Aaadhaar app to work in exactly this manner. Whether there are separate PINs for authentication and authorization is an implementation detail.
With close to 200 million smartphone users, this is a chance to bring massive efficiencies everywhere, from payments to signing up for utilities and services to participating in elections and other referendums (the latter can now be held, locally, without setting up the sort of physical and personnel infrastructure elections today require)
(It’s worth mentioning that the app will also (as of 2017) support TouchID and other fingerprint based authentication, like Apple Pay. Note that this is not a traditional biometric scan; the fingerprint isn’t captured and sent over the Internet to be matched with the ones on record. The fingerprint is used locally, on the device, to instruct the app to auto-fill the PIN instead of the person entering it every time it is asked for. This is worth emphasising because – anecdotally – there seems to be a widely-held misconception that one can authenticate to Aadhaar biometrically with a fingerprint-reader-enabled phone. That’s not how fingerprint readers work; the fingerprint itself is never stored, even locally. Only an encoded representation is stored on a secure hardware element. Subsequent fingerprint scans are also encoded and compared with the original encoded representation.)
4. The potential for misuse of Aadhaar by the Government for surveillance
We proposed earlier that service providers, whether public or private, do not need to have access to Aadhaar data, much less store a copy of it. In the case that law enforcement needs information about an individual, they can reverse-lookup an individual’s record from the Aadhaar number in the UIDAI database. Only specific agencies should be able to perform such a reverse lookup.
By itself, this doesn’t resolve the problem of misuse of the data by these agencies. That with a single identity it becomes easier for law enforcement to track your activity across train and airline ticket purchases, cab rides, hotel and Airbnb stays, lease agreements, card/UPI purchases, even internet browsing activity (these are some among an increasing range of services) and use it to harass you. This tracking is possible even today; with poor data privacy norms/laws, law enforcement can and likely does have access for the data above. A singe identity will make this lookup much easier.
But with the right infrastructure, India can in fact make this sort of tracking more transparent and hold both citizens and law enforcement accountable for their actions. But we need to, once again, re-think data access from the ground-up. There are two closely related aspects to this, technical and legal.
First, we need an instant, non-repudiable, immutable (ie non-reversible and non-tamperable), anonymous, trustless method of recording every Aadhaar based activity, whether authentication or authorization, whether by private/public entities or by law enforcement. In other words, we need an Aadhaar Blockchain. Every API transaction – enrollment, data updation, authentication request, KYC request, Aadhaar token request and reverse-lookup – should be automatically added to the blockchain by the UIDAI system, along with of course the timestamp. Most importantly, the Aadhaar numer of the person requesting (ie the specific law enforcement official) should also be part of the transaction that is written.
Since no other entity than law enforcement is allowed to reverse-lookup, the face that the blockchain contains citizens’ and law enforcement’s Aadhaar numbers will not bea risk to privacy. Unlike a transaction log in a database, a blockchain will also make sure no law enforcement or government official or agency can tamper with records.
Since only a blockchain with a large number of nodes is secure from tampering, let us add as many citizens’ phones as possible as nodes on the Aadhaar Blockchain. Every installation of the MAadhaar application has a copy of the blockchain, and a phone is chosen at random to cryptographically add a transaction block to the blockchain. At close to 200 million Internet-connected smartphones, this is likely to become the most broadly distributed blockchain in the world, and by the nature of blockchains, among the most secure.
Other than national elections, this will be the largest, deepest form of citizen participation in democracy. And unlike an election it will be continuous, an ever-present monitor of any electronic tracking of citizenry by the State.
Second, this blockchain and its data needs legal support. We should have separate courts for matters of data privacy. If a citizen has concerns about surveillance through unlawful access and use of their Aadhaar-linked activity, they should be able to easily move court. The judiciary is now able to go through the Aadhaar access log on the blockchain and reverse-lookup who accessed what data from which citizen: their activity on third party services (through the token lookup), their Aadhaar profile (through the reverse-lookup). Of course, every judicial lookup is also written to the same blockchain, complete with the Aadhaar number of the judicial official and timestamp.
“If you look up my data, I will know so.” This is a watertight framework to guard against the vast majority of cases of misuse of Aadhaar data for unalwful surveillance and potentially vendetta/harassment.
We have to make an exception for matters of national security, and such cases need to be explicitly spelt out. Only a handful of specific named people in military, law enforcement and the Government should be able to lookup data without it being written to the regular Aadhaar Blockchain (though it may be written to a smaller, much more private Blockchain). These are activities that need to be kept secret and while I am not a fan of such exceptions, I can allow for the possibility of such cases. Of course we will need to codify in law which positions are allowed to make such secret requests.
Summary
Aadhaar is a system that has no contemporary or historical parallel. Accordingly, to safeguard its operations and data, it will need a technical, legal and societal framework that does not exist commonly today. This piece outlines such a framework.
Fortunately we have technology today to support this, like tokenization and the blockchain. There are unique societal circumstances – a few hundred million data-enabled and connected phones – to participate in the safekeeping of this data. We would not be able to build such a system say ten years ago even if Aadhaar itself had existed.
Aadhaar today has some real issues, which is the whole point of this article. Instead of calling for its dismantling, let’s figure out – constructively, cooperatively – how we can fix design flaws and safeguard access to data; how we can employ technology and the law in a way that makes it more secure and transparent, creates more accountability than existing systems, whose security relies more on obscurity than anything else. The benefits are of a nationwide natively-digital ID are just to great to ignore.
Endnote
There are some other problems with Aadhaar that I have intentionally left out and may address separately once I understand them better:
- People not being able to enroll to Aadhaar because of lack of reliable fingerprints/problems with iris scanning
- Being able to sign up for more than one Aadhaar account; being able to enroll as someone else
- Keeping Aadhaar data current; especially address
- Ensuring that the service that a person gives their assent to is in fact the service being availed. This is not an Aadhaar-specific problem, but can Aadhaar help here?