Why Does Aadhaar Data Continue to Get Compromised?Some Practitioners Blame Weak Security Practices
In the latest in a series of security lapses involving Aadhaar, security flaws in an app developed by the National Informatics Centre earlier this month gave a Bengaluru-based software developer access to the Aadhaar numbers and personal details of thousands of citizens, according to news reports.
The app, called eHospital, uses Universal Identification Authority of India's "know your customer", or eKYC service, to let patients book appointments at government hospitals. When security experts analyzed eHospital, they found the app did not encrypt its communication with NIC's servers. Plus, the password was hardcoded in the eHospital application. These flaws meant the UIDAI servers were unable to distinguish between legitimate requests for Aadhaar data from NIC's eHospital app, and unauthorized requests from other apps, the news report adds.
NIC is a government body that builds and maintains the digital networks that link every department and ministry of India's central and state governments and extends Aadhaar-enabled services for welfare programs. But in recent months, websites maintained by NIC have inadvertently published the Aadhaar numbers and financial details of millions of citizens, say practitioners.
Some security experts say UIDAI needs to revisit and redefine its security requirements for secondary and tertiary partners for Aadhaar authentication. "A lot of knowledge base has been added at UIDAI regarding security lapses," says Rakesh Goyal, director-general, Centre for Research and Prevention of Computer Crimes.
In recent months, there have been frequent news reports claiming that various government and private websites were displaying PII details of individuals collected because of Aadhaar.
Earlier this year, for example, the Center of Internet and Society reported that Aadhaar numbers and personal information of as many as 135 million Indians was illegally disclosed and published. Also, in July about 210 websites of the central and state government departments were reported to have displayed personal details and Aadhaar numbers of many beneficiaries.
"Leaks have happened from affiliates and government websites due to vulnerabilities of the applications handling Aadhaar data, such as in case of the recent incident involving eHospital app," says Yogesh Bhat, cyber law professor at Manipal University.
How Aadhaar Works
Any entity - government or private - can sign up to use the Aadhaar database. Aadhaar does two types of transactions:
- Authentication: An entity can send a person's identity details to Aadhaar to check whether the information is correct;
- e-KYC (Know Your Customer): An entity can send in a person's Aadhaar number and request KYC details, which are provided once the individual consents to it.
Of course, before this entire process is set up, UIDAI requires the entity to go through a security audit. This audit is carried out prior to the entity commencing its actual transactions. But some security practitioners claim that once operations start, it's likely that some of these security controls may not continue to be followed.
Despite the government repeatedly assuring citizens that proper security practices are in place, the Supreme Court, along with cybersecurity agencies, have expressed concerns over the security features of Aadhaar.
Although there isn't any reported incident of Aadhaar data leak from the Central Identity Data Repository) of UIDAI, vulnerabilities of applications handling Aadhaar data are apparently one of the causes for repeated data compromise.
In April, the digital identities of more than 1million citizens were compromised by a programming error on the website maintained by the Jharkhand Directorate of Social Security. "In most cases it's the developer or the application designer who aren't following the best practices for secure development," Dinesh Bareja, COO at Open Security Alliance, contends.
Furthermore, Aadhaar has secondary, tertiary and sometimes even quaternary links, and the security at these links isn't robust, some security experts claim.
"The instances of misuse of data by eHospital, Axis Bank and eMudhra (earlier in the year) happened because of weak security at the secondary level," Goyal says. "I have seen security audit certificates for Aadhaar's AUA (Authentication User Agency), where auditors have even marked those items as 'compliant', which aren't applicable. If an AUA is using only OTP-based authentication and not using biometric devices, even biometric related controls are checked as 'yes'. In one case, an auditor ticked all controls as 'yes'." There was no comment, observation, description or justification of compliance or non-compliance of control, he adds.
Questions About Aadhaar Mandate
Some security practitioners question the government's decision to mandate Aadhaar be used as an identity and address proof before taking care of issues leading to the recent security lapses.
Though initially Aadhar was designed to be one-way authentication, it now has linkages to many direct benefit transfers. "Thus, the functionalities and load increased without considering relevant security," Goyal claims.
Some security experts say that although multiple security rules and regulations are in place, actual enforcement is missing. "The solution is in ensuring that the mandate is respected and honored," Bareja says. "Another problem is that we make grand announcements about mandatory compliance but do not allocate adequate resources for educating or sensitizing the stakeholders. So we will continue to suffer, and the debate will go on."
Those found to be responsible for Aadhaar-related security issues should face penalties, some security experts argue.
"Penalize all the persons who are touch points, especially NIC, CERT and all agencies connected with the incident," Bareja says. "Everyone will make sympathetic noises, point fingers and then go back to their desk to install another weak application and put the nation at risk. In the event of a derailment, the railways fired and suspended a number of senior and junior officials so why can't the IT minister take such action here? Why can't auditors and the NIC officials be named?"
Goyal argues that robust security must be defined and implemented across the Aadhaar eco-system, including data capture, local storage, data transmissions, data storage, authentication, devices and logging.