Aadhaar flaws exposed by top security expert
Aadhaar is complex and it will have flaws just like any other complex software product does. Some of them may be quite serious and they must be treated as such. That will require an open and receptive attitude from the the government and above all, acknowledgement that Aadhaar is not “Hack Proof”.
Scientist Dr. Sandeep Shukla’s confidential studies highlighted the loopholes in Aadhaar but nothing has been done to beef up data security by the government yet.
Prof. Dr. Sandeep Shukla is one of the foremost system security experts and scientists in India. He has raised concerns on UIDAI Aadhaar’s security from time to time. One of his confidential studies highlighted the loopholes in Aadhaar but nothing has been done to beef up data security by the government yet, he observes.
In an exclusive interview, he spoke to Ujjawal Krishnam which is written below:
What is your general view of digital identifiers like passport and Aadhaar which contain sensitive information like biometric and demographic data?
I think that citizen’s privacy is not being taken seriously in India. A recent news article I read about the report by Justice Srikrishna committee on data privacy scared me. The report said that NASSCOM and other interested parties diluted the provisions for privacy, and any measure was not to be retroactive to data already available in the public domain. This is exactly the opposite of what Europe has done. Even in the US, when I went there as a student, social security number was used as a roll number for students in the university. By 1995, that was made illegal, and universities had to assign a local 9 digit number to students. But this number was related to the social security numbers of the students. When I was a faculty back in 2008 or so, new laws came into effect about privacy, and Universities had to create special computer programs that they supplied to faculty and staff to find any email or files on their personal computers where a student name and his/her roll number were in the same email or file. This program was meant to expunge all such files, emails etc. We were not allowed to display grades against roll numbers, and in no circumstances write an email where a student name and roll number were together. This is retroactive privacy. This was done to avoid in any way to divulge a student’s social security number give his/her name. Note that social security numbers are just numbers against names, and social security administration never ever collected biometric data. In fact, in the US, a person’s biometry cannot be requested without his/her informed consent on how that data will be used. Any use beyond that will require a judge’s permission.
You being a computer scientist can tell us better about the constraints related to technical safety measures generally faced while maintaining web-accessible data. Are they vulnerable?
Any data that is accessible via the web, can be hacked. For example, the softwares used to build a website are written by human programmers, and they often carry many vulnerabilities. Only a few months ago, one of the most popular website building software Drupal was found to have such a vulnerability that by using it, a hacker can easily install malware into your web server and get root access, compromise your encryption key and exfiltrate all data. In fact, our website was running on Drupal 7.57 and our system administrator did not update it to 7.59 in spite of being warned and we got completely hacked. In 2016, Linux operating system Kernel was found to have a bug called ‘dirty cow’ which allowed anyone to become a root administrator of a web server running on Linux that was not updated, and again we ourselves hacked our system administrator’s website. So, anyone who exports an interface to the world through web technologies can fall prey to hacking and data exfiltration or worse. The system administrator has to be always on his/her toes, keep watching out for advisories from security agencies and update their software immediately – otherwise, they will be attacked very easily.
However, much of the Aadhaar data leaks happened not even because of these, but because the database behind the web server was seeded with Aadhaar data because of poor choice in using Aadhaar as the identity of people in these databases.
A 2017 compendium drafted by UIDAI on Aadhaar observed that Aadhaar can now be de-linked from any account. Is it necessary?
I think if it is enabled – people should delink. But the problem is that most entities like banks, mobile phone companies, insurance companies and anyone else who took your Aadhaar data via e-KYC have already seeded their local databases with Aadhaar. Much of that might not even be under the jurisdiction of UIDAI. You may de-link your data from the UIDAI servers if they allow, but the monstrosity enabled and created by UIDAI over the last few years will not go away easily, and our citizen’s data privacy has been compromised for good.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: