Blog

Authored by Nick Corbishley via NakedCapitalism.com,

In one fell swoop, roughly 10% of the global population appears to have had some of their most valuable personal identifiable information (PII) compromised. Yet Aadhaar continues to receive plaudits from Silicon Valley. 

An anonymous hacker claims to have breached the digital ID numbers, as well as other sensitive personal data, of around 815 million Indian citizens.

To put that number in perspective, it is more than 60% of the 1.3 billion Indian people enrolled in the government’s Aadhaar biometric digital identity program, and roughly 10% of the entire global population. Thanks to the breach — the largest single one in the country’s history, according to the Hindustan Times — the personal data of hundreds of millions of Indians are now up for grabs on the dark web, for as little as $80,000.

To register for an Aadhaar card, Indian residents have to provide basic demographic information, including name, date of birth, age, address and gender, as well as biometric information, including ten fingerprints, two eyeball scans and a facial photograph. Much of that data has apparently been compromised.

Media reports suggest that the source of the leak was the Covid-19 test data of the Indian Council of Medical Research (ICMR), which is linked to each individual’s Aadhaar number.

The alarm was first raised by Resecurity, a Los Angeles-based cyber security company, which on Oct 15 included the following in a blogpost on its corporate website:

Digital Identity Theft

A leak of such highly sensitive personal identifiable information (PII) creates a significant risk of digital identity theft, warns Security Affairs:

Aadhaar (Hindi for “foundation”) is a 12-digit unique identity (UID) number issued by the government after confirming a person’s biometric and demographic information. Launched in 2012 as part of an initiative to give each Indian resident with a unique identification number, it is the largest digital identity system on the planet, with 1.3 billion UIDs issued by 2021, covering a staggering 92% of India’s population.

It was ostensibly created to provide people without identification a formal government ID as well as crack down on duplicate, fake or stolen IDs used to benefit from government programs and welfare schemes.

And it quickly drew interest and praise from elite quarters around the world, including Silicon Valley.

In a 2019 entry of his “Gates Notes” blog, Bill Gates lauded Aadhaar for making “India’s invisible people visible.” Three years earlier, in a lecture on Technology for Transformation, Gates had said that Aadhaar is something that had never been done before by any government, not even in a rich country. He also claimed it does not pose any privacy risks; try telling that to the 815 million people whose personal data is now up for grabs on the Dark Web!

Together with Nandan Nilekani, one of the co-founders of Indian tech giant Infosys who is widely recognised as Aadhaar’s chief architect, Gates went on to play a key role in exporting Aadhaar to other parts of the so-called Global South, much of it financed by the World Bank. The two tech billionaires also reportedly helped persuade the Modi government to embark on the disastrous path of demonetisation in order to expand cashless payment alternatives. Demonetisation is believed to have caused a 2% drop in India’s GDP growth in 2016/17 alone — the equivalent of $52 billion, according to the Sunday Guardian.

Even today, Aadhaar continues to receive plaudits from Silicon Valley, despite all of its security flaws, privacy concerns and other issues. Worldcoin, the controversial cryptocurrency project set up by OpenAI CEO Sam Altman that uses an eye-scanning “orb” to give users a unique digital identity to verify whether they are human, recently said it seeks to emulate India’s Aadhaar system in its own creation of a global identity and financial network.

Ironically, both Aadhaar and World Coin were featured in a recent report by Moody’s Investor Services as examples of how not to develop a digital identity system. As I noted at the time, it is not clear whether Moody’s criticisms were merely poorly timed, given the geopolitical backdrop, or form part of a broader campaign in the Anglosphere against India’s interests. The Modi government and Indian tech businesses are desperately keen to export the so-called “Indian Stack” — the Jan Dhan Yojana, a financial inclusion program; UPI, an instant payments system launched in 2016, just six months before the government yanked 84% of India’s cash notes out of circulation in its infamous demonetisation campaign; and Aadhaar.

Mission Creep on Steroids

Aadhaar was first introduced as a voluntary way of improving welfare service delivery. But the Modi government rapidly expanded its scope by making it mandatory for welfare programs and state benefits.

The mission creep didn’t end there. Aadhaar has become all but necessary to access a growing list of private sector services, including medical records, bank accounts and pension payments. According to Security Affairs, it is the security weaknesses of many of these third parties, including utility companies, independent service providers, mobile and telecommunication operators, and lending and fintech services, that are behind many of the data breeches.

Plans are also afoot to link voter registration to Aadhaar, despite the system’s glaring security flaws. Besides the vulnerability of its data storage, India’s Aadhaar system has many other downsides, as I noted in my book Scanned:

The public body in charge of Aadhaar, the Unique Identification Authority of India (UIDAI), is yet to comment on the latest breach. But if past form is any guide, when it does it will deny all charges. It has so far refuted all accusations of data breaches, since the Aadhaar system went fully live seven years ago, including claims from Wikileaks that the CIA might have access to the database and allegations in the World Economic Forum’s Global Risks Report 2019 that Aadhaar had “suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens.”

Given the sheer number of breaches Aadhaar has suffered, this level of denialism is becoming untenable. Even Biometric Update, the most important trade publication for the biometrics industry, has warned that India is “bleeding biometric data.” And biometric data is our most valuable personal identifiable information. If it is hacked there is no way of undoing the damage. You cannot change or cancel your iris or fingerprint like you can change a password or cancel a credit card.

The chances of that data being hacked are significant given how pourous most databases are, notes Professor Sandra Watcher, a data ethics professor at the Oxford Internet Institute:

Given the sheer number and scale of recent breaches,  the “Indian govt’s insistence that Aadhaar is secure rings hollow,” concludes Biometric Update:

The latter case is particularly pertinent since it reveals how fragile biometric identifiers can be, especially when it comes to finance. In recent years, a consortium of public and private sector players, including the Reserve Bank of India, UIDAI, the National Payments Corporation of India (NPCI) and the Institute for Development and Research in Banking Technology, has developed a cardless banking system called the Aadhaar-enabled Payment System, or AePS. To avail of the service, all customers need is a bank name, an Aadhaar number and the biometric identifiers captured during their Aadhaar enrolment. It’s quick, easy but not remotely safe.

A recent criminal case in Bengal has revealed that a purely biometric-enabled payment system, involving no cards and no PIN numbers, is not secure, particularly when the biometric identifiers in question and Aadhaar numbers are easily accessible on the World Wide Web. As always in these cases, enterprising fraudsters are leagues ahead of the authorities. From Business Standard:

The response from certain banks and law enforcement agencies is revealing: they are telling bank customers to lock their biometrics at m-Aadhaar app/UIDAI portal and start using a four-digit pin to authenticate payments and prevent unauthorized access to their bank accounts. It is an open admission that biometric identifiers, on their own, are not safe enough for transaction purposes. Nor are they being stored securely by public or private entities. This should (but probably won’t) serve as a cautionary tale for all the other governments and companies around the world seeking to harness the power of biometric identifiers and digital identity.