NEWS

'Aadhaar is a major national security risk'

By Syed Firdaus Ashraf
September 27, 2018 11:00 IST

'If your data is hacked you cannot go to court. Only UIDAI can go to court.'
'UIDAI is lying that Aadhaar is completely secure.'

Illustration: Dominic Xavier/Rediff.com

Nikhil Pahwa, founder, editor and publisher of the Web site Medianama, is a vociferous critic of Aadhaar.

He has still not got an Aadhaar card and says, sadly, he will now have to get one after the Supreme Court's judgment on Wednesday, September 26.

"The government argued against the Fundamental Right to Privacy in the Supreme Court to delay the hearings for Aadhaar. Had they not done that, the case would have finished in 2016 itself. During that time, millions of people went for Aadhaar so it became a fait accompli, and that was the intention all the time," Pahwa tells Rediff.com's Syed Firdaus Ashraf.

You called for the 'destruction of Aadhaar' in a tweet. Why do you hold such strong views against it?

Aadhaar is the making of a surveillance State. Profiling of citizens is already being done at the state-level in state resident data hubs.

I think it is dangerous for democracy if states are allowed to profile citizens to such an extent.

It is happening in Rajasthan. I think even (Andhra Pradesh Chief Minister Nara) Chandrababu Naidu is building a similar database, linking all aspects of a citizen's life with the Aadhaar number.

Aadhaar is dangerous for us as citizens.

Also, there is no means to know what kind of fakes exist in the Aadhaar system.

If you look at the enrolment software hack, which Huffington Post reported (external link), it allows people outside of India to enrol for Aadhar who are not necessarily in the database.

From that perspective, Aadhaar has become a massive security risk.

Also, leakages of people's personal information have become personal risks for them.

I think it is going to be very dangerous for our country in the future.

At some point of time there will be certain damage that will be done to individuals before it is destroyed.

The United Kingdom considered unique identity projects before the Labour Party came to power and destroyed it because it was very serious (issue).

I don't think Aadhaar complies with the Fundamental Right to Privacy. I disagree with the Supreme Court that it isn't unconstitutional.

I understand the judges have gone by their own wisdom, but I would go with Justice (D Y) Chandrachud's distinct judgment.

Also, Aadhaar is extremely unsecure and I think the Supreme Court needs to take that in cognisance.

There are reports coming out every day of data being leaked and software being hacked.

The UIDAI (Unique Identification Authority of India) is lying that Aadhaar is completely secure.

 

The assumption is that biometrics are safe and secure, but you say it is not so.

We leave our biometrics on every glass of water that we pick up. There are students who have cloned fingerprints to mark proxy attendance.

Biometrics, in fact, is the least secure form of authentication. You cannot change your biometrics.

You can change your PIN and password, but you cannot change your biometrics.

If your biometric gets copied, and it is very easy as biometric have been copied from photographs, you are compromised for your entire life.

That sounds dangerous.

It is a fact. Biometrics are not secure.

You pick up a glass of water and are you telling me your fingerprints cannot be copied?

Of course, it can be copied and they do that in forensics.

There is a college in Mumbai where students replicated thumb prints to mark proxy attendance.

In Surat, biometric data was being sold and two traders were arrested for that.

Biometrics are less secure than passwords. All major businesses get hacked at one point or other time, but they protect users by keeping data in silos.

Secondly, when something goes wrong with passwords, they change the password. But how do you change your fingerprints?

Since I have already given my biometrics for a mobile phone connection, how can that be misused?

(Finance Minister) Arun Jaitley had said in Parliament once that there are a number of cases where people's money has been funnelled out of their bank accounts.

There are a number of cases like that and we did stories on Medianama.

Let me ask you this since you got an Aadhaar how often you have used biometric authentication. Hardly ever, right?

Except while connecting my SIM card to Aadhaar...

Most people use a one-time password-based system (for that).

In a country where the population barely understands technology, look at the number of instances where money is being funnelled out by using OTP and UPI (the Unified Payments Interface).

Phishing attacks are already happening. Now the problem is when that happens, you will not link back to the source of loss of data.

TRAI (the Telecom Regulatory Authority of India) chief R S Sharma (recently) tried to point out that losing data is not problematic. But just because he was not harmed today does not mean he will not be harmed in future.

People, though, went and located all sorts of information about him (on Twitter).

The Modi government brought in Aadhaar as a money bill, which you have criticised. It may have been procedurally wrong, but was there any other problem with that decision?
Why did the government want to pass this bill so desperately?

I am not going to question the intent of the government in terms of why they wanted this bill to be passed so desperately.

My problem is that it did not go under the scrutiny of the Rajya Sabha. In fact, there were amendments pushed by the Rajya Sabha which were not accepted by the government.

Therefore, it is highly problematic how it was dealt with. I would just say what they did procedurally and operationally was wrong.

I think it is very disappointing that the Supreme Court has upheld Aadhar as a money bill as that opens the doors for this government and governments to follow to misuse the money bill provision.

The United States has the social security number, most democracies have a citizens ID card. Can't Aadhaar be of some use in a similar way?

Scroll.in has done a story about it and we too have done (a story) on this.

Aadhaar is not a social security number and social security number is not a 'linked' number.

You can change your social security number but you cannot change your Aadhaar number.

I am not sure whether this provision has been removed or not, but under the Aadhaar Act, if your data is hacked you cannot go to court. Only the UIDAI can go to court.

That is inherently unconstitutional.

The social security number is also not linked to biometrics. If you want to look at the US situation, the social security numbers were hacked last year.

Any centralisation of data is problematic. If we have multiple identification cards and identification numbers we can choose to keep ourselves secure by using different cards and different identification methods in different circumstances.

I can give my driving licences or other ID or Aadhaar. Hopefully not Aadhaar.

I will never use Aadhaar as I have still not got Aadhaar.

You don't have an Aadhaar card yet?

No. I might be forced to get one now as it has been made mandatory for PAN.

Look, I saw the dangers very early and decided that I didn't want to risk myself.

My Supreme Court has failed me (on Aadhaar) and my government has already been failing me, so I might get one.

Linking Aadhaar with phone numbers helps track criminals. An alleged terrorist was arrested in Gaya because of Aadhaar.

I have never heard anything like this. In Pathankot, there was a terrorist who was found with Aadhaar,.

An Uzbek woman who committed a crime in Andhra Pradesh had Aadhaar in a different name.

I have never heard of a terrorist being caught because of Aadhaar.

Aadhaar is not proof of identification.

A CNN-IBN journalist proved there is a problem with Aadhaar when he got Aadhaar in a fake name by producing a fake driving licence.

They did not verify his address like they do for a passport for which the police comes to your home, checks your address and also with neighbours to confirm your address.

Where is that kind of verification in Aadhaar? Aadhaar is based on any other ID. It is not proof of address.

Phone linking with Aadhar helps national security.

How does it help? If I have an Aadhaar card in a fake name and then I get a mobile with a fake Aadhaar, how does it help national security?

Granted there are loopholes.

This is not loophole. This is a problem.

If you look at the Huffington Post report (external link), it says anyone in the world could have enrolled for Aadhaar.

It was a sophisticated hack. Anyone in the world could have enrolled for Aadhaar and that was certified by multiple security experts globally.

So someone sitting in Pakistan could have potentially enrolled for Aadhaar with their fingerprints and you would never know. There was no way of knowing it.

Why did the Modi government not realise these things?

I have been saying this for a while now. Aadhaar is a major national security risk for India.

I wish the Supreme Court realised it and I hope the Indian Army realises it.

UIDAI does not have a monitoring mechanism. They have an audit mechanism.

When journalists report issues, that is when they (UIDAI) act on it.

And what they do? They file an FIR against journalists who report on the Aadhaar problem so more people do not report problems on Aadhaar.

What kind of security policy is this? Look at what happened to the Tribune newspaper story.

UIDAI comes out and says 'Oh, but there is no problem'.

How can you trust a government body that lies like that?

There are good things about Aadhaar too, like the leakage in subsidies being plugged.

We have done an analysis on the leakage of subsidies. The government took data which was not attributable to Aadhaar, but they just attributed to Aadhaar.

There have been instances where they have taken data for one small part of one district and attributed that to the entire country over a longer period of time.

The World Bank has largely retracted the report which the government had cited as proof of savings.

There is no trustworthy information coming out from the government on Aadhaar.

They went and argued against the Fundamental Right to Privacy in the Supreme Court to delay the hearings for Aadhaar.

Had they not done that, the case would have finished in 2016 itself.

During that time, millions of people went for Aadhaar so it became a fait accompli, and that was the intention all the time.

Syed Firdaus Ashraf / Rediff.com

Recommended by Rediff.com

NEXT ARTICLE

NewsBusinessMoviesSportsCricketGet AheadDiscussionLabsMyPageVideosCompany Email