24, Jan 2018 | Teesta Setalvad
Any breach of security or compromise of the Aadhaar database, means that the hackers can ascertain the exact location of our army personnel every time they withdraw their salary using Aadhaar for authentication. This can be a big risk to national security, and this is just one example as to why it is, in my opinion, imprudent to use such a system. Here is an account of several other threats posed by Aadhar as explained in an affidavit filed before the Supreme Court.
In a new affidavit filed before the Supreme Court, technocrat, Samir Kelekar, who has more than 3 decades of experience in cyber-security, has pointed out the sheer imprudence of the proposed Aadhaar project. The affidavit points out that Aadhaar does much worse that just compromise basic privacy by facilitating real-time and non-real-time surveillance of UID holders, by the UID authority and other actors that may gain access to the authentication records held with the said authority or authentication data traffic as the case may be.
These facts were brought out in a fresh affidavit read out before the Supreme Court today. The entire affidavit may be read here:
Kelekar, son on a freedom fighter from Goa, Gurunath Kelekar, has said that “it is quite easy to know the location and type of transaction every time such authentication takes place using a scanner for fingerprints or iris and the records of these in the UID / “Aadhaar” database.”
Explaining the point he has said that this is not “dissimilar to knowing the place from where a person made a call using his / her mobile phone. Just as the mobile phone connects to a tower from where the phone signals are sent to other towers and the servers of the mobile phone companies, biometric scanners also have SIMs and IP Addresses to locate the place from the transaction took place and its nature. Any administrator of the UIDAI server or any employee or other person with access to transaction data, with a little help from the servers (Authentication User Agents and Authentication Server Agents, as they are called in UIDAI literature), through which authentication request is sent to the UIDAI, will be able to track the transaction and the person carrying out the same.”
Further, he has pointed out that “UIDAI recommends that each point of service device i.e. the device from which an authentication request emanates, register itself with the UIDAI and acquire for itself a unique device ID, which shall then be passed to the UIDAI along with the request for every authentication transaction.” This method of uniquely identifying every device and being able to map every authentication transaction to be emanating from a unique registered device, further simplifies the task of tracking down the exact location and place from which an authentication request emanates.
What is really worrisome is that “there are technical tools that are available that make it easy and possible to track the electronic path that authentication requests from any given authentication device to the Central Identification Data Repository take as part of their authentication transaction.”
No security is perfect. The fact that other systems offer the possibility of ,”in case of a breach, the damage is minimal and backups are available. Hence, passwords should be changeable.” Interestingly, “Biometrics as a password is problematic in that it cannot be changed if stolen/lost/hacked.”
Finally, a centralised database has the problem that once hacked all data can be lost. Specifically, consider if the Army personnel use this as an authentication mechanism before getting their salaries. The location from which they authenticate can be found as it will be done via a scanner which has an IP address/is on a mobile internet. From the tower to which the scanner connects via its SIM card, its location can be found. This data will be available in the logs of the Aadhaar system.
About the Petitioner
Samir Kelekar’s firm’s name is M/s. Teknotrends Software Pvt. Ltd. He is a graduate from Indian Institute, Mumbai (IIT, Mumbai) in 1983. He has obtained a post-graduate degree in Computer Engineering from Clemson University, South Carolina, USA. He also holds a doctorate degree (PhD) in electrical engineering from Columbia University, New York, USA.
His clients include Canara Bank, G E Health and MTN, a multi-national South African mobile phone company.