How privacy can be breached in Aadhaar
Authentication and identification without consent
Authentication to make payments – as an example – requires two independent pieces of information: identity and an authentication credential. Common examples of identity are login or email IDs, cryptographic public keys and ATM or smart cards; some common authentication credentials are passwords (including OTPs), PINs and cryptographic private keys. Identity may be considered (limited) public information but an authentication credential must necessarily be private – a secret that is known only to the user. Moreover, authentication must be a conscious process that requires active participation by a user, but not necessarily so for identity verification.
Biometrics, which are external to one’s body and can easily be harvested without consent, are poor authentication credentials because of possibilities of false presentations. They may be excellent for identity verification under the adversarial oversight of the person or entity requiring the verification. The use of biometrics as authentication credentials for applications like financial transactions is ill-conceived and requires immediate review.
Point of sale and enrolment devices are the most likely sources of leakage of biometric and other sensitive data, which can be used to illegally authenticate or identify. These devices need to be registered with the Unique Identification Authority of India (UIDAI) and authenticated during run-time to ensure that they have not been tampered with. The UIDAI is already taking welcome steps in this direction.
Profiling by correlation of identities across data silos
Identification and profiling without consent by correlating different data silos are undoubtedly big threats to privacy and civil liberty. However, with the current state of affairs with digitisation, linking different data silos using Aadhaar does not seem to add significantly to the attack surface.
It is true that an individual or an entity with access to multiple databases linked with Aadhaar can uniquely identify any individual in them, leading to possible illegal profiling. But such unique correlation attacks can also be carried out using other identifiers such as mobile or PAN numbers. Even if all such unique identifiers are removed from the data, linking databases for unique identification is fairly straightforward using the demographic and personal data that we provide in the course of routine business. In fact such correlation and profiling, even without unique identifiers, are common for online targeted advertising and will be a trivial task for an entity like say the National Intelligence Grid.
So the risk of illegal profiling does not originate as much from Aadhaar as it does from the modern needs of digital record keeping in different silos and the Aadhaar privacy debate has drawn timely attention to the issue. What is required is a thorough analysis of what kind of profiling are legitimate requirements for governance and codifying them in a law. All other kinds of profiling should be prevented.
This is not to say that using the same UID for all applications does not make it worse. It adds to the vulnerability by making unique identification easy even for a layman. The London School of Economics identity project report suggests cryptographic embedding of a unique global ID into separate local IDs for each application domain, thereby making cross identification using the local IDs impossible except for the ID granting authority. The UIDAI should definitely consider this possibility.
A popular solution to prevent correlation is to systematically corrupt the databases using differential privacy techniques to make make one indistinguishable in a set or group. However, such data corruption may impede legitimate governance requirements.
The only reasonable solution, in our contention, will be to prevent sensitive databases from coming together, except for legitimate purposes and only through automatic means. There also has to be national standards for data collection and protection, not only at the UIDAI but also at other sensitive data domains.
Insider attacks
On the face of it, the data protection measures adopted by the UIDAI appear to be standard and adequate against external threats, but it is not obvious that they are adequate against insider threats. Insider attacks, perhaps at the behest of powerful entities in the state machinery itself, are the biggest threat to privacy and civil liberty. Maintaining data encrypted and distributed within an organisation is not adequate protection against insider attacks if the decryption keys also reside within the same organisation.
For effective protection against insider threats it is imperative to ensure that no manual inspection of sensitive data and transaction logs is ever possible, and that data can only be accessed through pre-audited, tamper proof, digitally signed computer programs which are true to the legal and policy frameworks. Moreover, such programs must be trustworthy and do precisely and only what they are supposed to do, even when the underlying computing, network and storage infrastructure are untrustworthy (equivalent to already been hacked).
This will require an independent third party that can play the adversarial role of an online auditor and also that of a key-keeper. The auditor has to ascertain that the programs are true to specifications, sign and seal them, and authenticate them during run-time to ensure that they have not been tampered with. The necessary policy and legal frameworks need to be put in place.
Indeed, we do believe that there are tools and techniques from computer science that may, at least for practical purposes if not provably, offer such protection in the UIDAI and other such sensitive setups. Something as important as Aadhaar definitely requires such due-diligence. more
Authentication to make payments – as an example – requires two independent pieces of information: identity and an authentication credential. Common examples of identity are login or email IDs, cryptographic public keys and ATM or smart cards; some common authentication credentials are passwords (including OTPs), PINs and cryptographic private keys. Identity may be considered (limited) public information but an authentication credential must necessarily be private – a secret that is known only to the user. Moreover, authentication must be a conscious process that requires active participation by a user, but not necessarily so for identity verification.
Biometrics, which are external to one’s body and can easily be harvested without consent, are poor authentication credentials because of possibilities of false presentations. They may be excellent for identity verification under the adversarial oversight of the person or entity requiring the verification. The use of biometrics as authentication credentials for applications like financial transactions is ill-conceived and requires immediate review.
Point of sale and enrolment devices are the most likely sources of leakage of biometric and other sensitive data, which can be used to illegally authenticate or identify. These devices need to be registered with the Unique Identification Authority of India (UIDAI) and authenticated during run-time to ensure that they have not been tampered with. The UIDAI is already taking welcome steps in this direction.
Profiling by correlation of identities across data silos
Identification and profiling without consent by correlating different data silos are undoubtedly big threats to privacy and civil liberty. However, with the current state of affairs with digitisation, linking different data silos using Aadhaar does not seem to add significantly to the attack surface.
It is true that an individual or an entity with access to multiple databases linked with Aadhaar can uniquely identify any individual in them, leading to possible illegal profiling. But such unique correlation attacks can also be carried out using other identifiers such as mobile or PAN numbers. Even if all such unique identifiers are removed from the data, linking databases for unique identification is fairly straightforward using the demographic and personal data that we provide in the course of routine business. In fact such correlation and profiling, even without unique identifiers, are common for online targeted advertising and will be a trivial task for an entity like say the National Intelligence Grid.
So the risk of illegal profiling does not originate as much from Aadhaar as it does from the modern needs of digital record keeping in different silos and the Aadhaar privacy debate has drawn timely attention to the issue. What is required is a thorough analysis of what kind of profiling are legitimate requirements for governance and codifying them in a law. All other kinds of profiling should be prevented.
This is not to say that using the same UID for all applications does not make it worse. It adds to the vulnerability by making unique identification easy even for a layman. The London School of Economics identity project report suggests cryptographic embedding of a unique global ID into separate local IDs for each application domain, thereby making cross identification using the local IDs impossible except for the ID granting authority. The UIDAI should definitely consider this possibility.
A popular solution to prevent correlation is to systematically corrupt the databases using differential privacy techniques to make make one indistinguishable in a set or group. However, such data corruption may impede legitimate governance requirements.
The only reasonable solution, in our contention, will be to prevent sensitive databases from coming together, except for legitimate purposes and only through automatic means. There also has to be national standards for data collection and protection, not only at the UIDAI but also at other sensitive data domains.
Insider attacks
On the face of it, the data protection measures adopted by the UIDAI appear to be standard and adequate against external threats, but it is not obvious that they are adequate against insider threats. Insider attacks, perhaps at the behest of powerful entities in the state machinery itself, are the biggest threat to privacy and civil liberty. Maintaining data encrypted and distributed within an organisation is not adequate protection against insider attacks if the decryption keys also reside within the same organisation.
For effective protection against insider threats it is imperative to ensure that no manual inspection of sensitive data and transaction logs is ever possible, and that data can only be accessed through pre-audited, tamper proof, digitally signed computer programs which are true to the legal and policy frameworks. Moreover, such programs must be trustworthy and do precisely and only what they are supposed to do, even when the underlying computing, network and storage infrastructure are untrustworthy (equivalent to already been hacked).
This will require an independent third party that can play the adversarial role of an online auditor and also that of a key-keeper. The auditor has to ascertain that the programs are true to specifications, sign and seal them, and authenticate them during run-time to ensure that they have not been tampered with. The necessary policy and legal frameworks need to be put in place.
Indeed, we do believe that there are tools and techniques from computer science that may, at least for practical purposes if not provably, offer such protection in the UIDAI and other such sensitive setups. Something as important as Aadhaar definitely requires such due-diligence. more
Viewed by 2524
View all 23 comments Below 23 comments
[ ]( # ) [ ]( # )  [ ]( http://r.sigma-institute.website/mk/cl/f/f_wnGE3NpZt8wO1_mdzJxVo52Beb2Z0zjYhDJqN4Fct4IRuXg2-B751GiRPCLEdEXmNgvkpgSo5bjApYWmPq_LVXq3IyOhYyzKPuOVak2UIsuAux_NaviT_L8lgrfBxj5JyLL2n5imqhMU39qFv0-XwqiXY_683hZOL1oJmbGzdesT_dg8zeeRdctenxegD-79HXOPkJX7t-rka0FjiHOB1hYe0ZR3paDZL24Bi9EO05bdD539oN46r31jt7FG2zv663Iaua37hu1G0xBRV4bHjE5ZoNuMHls97u2a4JO2lg-56LEYzMCo6quEH1fqrAl8tM5B1CKEY6C_V2xgUNsW8zHKAS2iOk3mYKsd-jPzf5z1YTzw )  [ ]( # ) COMPUTER FOR ONLINE CLASSES [ ]( # ) [ ]( http://r.sigma-institute.website/mk/cl/f/TRs_KoDLVhrUkpc-nU-OgxD-jWhahgBtJj6fZBKbmw9nO20rQvMe07j3nzuUV_WgnrAibZtlPDqbbSYGSIrwHIW0rUvjDr5pkfAG9B67GLgTvxq8n-XZ2JF3Mas6dpx6pf1-6UpDwFL_2C7aiAq_JbpEVQyjQg4BDUOeloSuToBCb3vc8rvBNOESJV-6snbL189ANrSJSB3fSEgiEnYEw3JGxtJJeTVIMva3LnM_vAYrC__O2Gdw9DTXDqV90FUfzbP4RNVY2Ta2c6-0SstxrYa6Elom0MJuGtzJypQqk7OmC1G6u1pdRQLqO9PSxOK5HH0RP6YOS7dXZGDygyCScB6xP7JHDvEjpSLMY1gIvyOflrA4Dg ) [ ]( # )  For online classes we are providing a complete set of computer with UPS in following specifications: Monitor 15"; Camera & headphone CPU: 160 GB HDD, 2 GB RAM, Core 2 duo Keyboard, mouse UPS ( Electronic voltage stabilizer ) This complete set we offer pan India for Rs. 21000/- ( All inclusive ) One extra 160 GB Hard disk will be supplied free of cost within 5 years, if present becomes in sufficient. All carry "M.I.'s" 1 year warranty.    [ ]( # ) [ ]( http://r.sigma-institute.website/mk/cl/f/UGyB1foAZP7yAJQrpvK7ixLOrnTlD4DdBFkMDz6PfWiJe4koe9IjX926Aydrg0Uu85j-RbBKXCRjyXL3VC_7p8r1xNSaXOk9pJTYj9qQxcbXyL2-zcn5hVceGKLgHPboxukCHyvaeZQHzMukKTJkBgzOYw87f6LAB9OZtbEeq4Tr0n_n_01OMr2ijoiyOwAVPm0CR60U-FYTxf56_aonyb2NnqE4q4mr2j06jSCjWpYw4zObQhY6O-z0Va-M_Dh3f1zRwWGQe4k2fGO1L6gxQdxdbyF19w15RXUoRoB3mKS8IKezXQJhfvJ5IBipkt_q6uB8x0eh0CF5VcAUEa9Crjb7Hao8xNbua28iI-qkVJMImt44Sw ) We understand the hardships...  Hardships of the parents, hardships of teachers, hardships of every such individual who is now compelled to work from home; be it student or the the professional now computer set is must. we decided to help all such people by providing the complete set including UPS to save your machine for longer life. In comparison to laptops desktop is robust & long lasting and also cheap & best ! For getting this deal, please click the button below:  [ Button ]( http://r.sigma-institute.website/mk/cl/f/6K9kRBzZ8tNIRVEBSdMWztbkLVyyGZsWQGmMDCEgkBLyfEzIWOfAaBH4m9szi1AMBAPRSD0p22y3pyJpYkha_4_ESGRDuvd672yTpvWWsaEneTvIYfzq1O7zdVoskwCyEK47GeygnOqz1oGLX3_reIsqgffwL6QkUS50n3hQCIEA9oOQZWo5dZ39tNKpTdvF1sYtMt9WxDtXbRBno7oEP_VA387RI71qhqawtpZ6-12gI9q7r76K0fr25Mbb-6m1WN0RfQfPDTobOv967fZfYajG2GYzA8ITEZxvh10VrYygIaiGZBZbdgS7pFv1efOZjkSSL5zQacmnhTm47ujMHZG3-PXklBg56VJySviL2xKsjVD3sg ) [ ]( # ) [ ]( # )  SIGMA INSTITUTE Delhi Cell: 9899075161 [ ]( http://r.sigma-institute.website/mk/cl/f/Vv0LSSITiQgtrgl0amAPvTw8tmyA5FV-Zl1cAHWwtjP5wuwj8A4Sg3flzuZMZ2zgJ-nylUH3eH_x-4f546_1HJWNUAsAHdv4mDQiv2YcYr9jUhqZCafFKhWgRGvNCWhRtQi_jG4MrKqQzR9caiI82N2Ll2YY9MveVKxmfzetdxv85aM3htiCablytIPmAYQfnlvu6SwAuxr1W9DPzztvfGcgiJp-ICsM_jJDfyo4PxUjx5P5wd17ZLY4xwiZhucMCIUNCm-Le2nullEXQ-LAPA8vq_NQnNe015v-a5MF5vOnXteVaIL2qAX-WkH21K3NRntX6q3-etlbqWsvewGrGnD9yr0OFA ) [ ]( http://r.sigma-institute.website/mk/cl/f/9v1unwkXHRkUbKKwp5ab25_r-xG3IONsRLPXglJ6bsnun9KB5c_bSJ3lLQVURTFwpZiBhL-NxfFDdFyqbc9WMiCi03DmQyZ5qAIzZmSF8LdaO3ZgXGU9Zvd-xCUKOnLBCBclNPPranTSccb_yBrRNr_9Yezs8jl028I75TvVMKUFGA01wTkTFIbPARddoG0EJT3vUEWqw8FqhLUP4bpxefaQcdq_XVw1HndTCRTtStm5cA4cwsVTicAY5xm-HoY4vE0IlsPhoHojqeSDDFxGpp3iD5JWKt6LAmd8XdLMe6_1kyM7dJXOoOi7SW8A3RlqWMeDDOc8OS8zQQGHhppYw9E94w ) [ ]( http://r.sigma-institute.website/mk/cl/f/K6lv3lFDsWxvBhyzMnw6iTSjXoKzeECMtQc_g4RWgGfMYGdmrjmvqZjkBGUCINkIvX-UXRkpHD-aXREVjxeI1n1peI0jgqNnF8AD4CohyQDNAnt1ppQDKXcNUuloIIoUNgZ2NrJKYnbtxIdt2RxG10vJJuRx6LXlZLeuvkp3EMpypK1WexNvMYXKYNo0OMLsaPPvL3Ee1glJgME-rwqhghUaysZf11qcTmrS05i1C3-XZzfqbZd-UHVtrm48z4nD-vZU2b43CMIGx8NLkqaN_GHh2z8ykH4KS8lv_Ux_Rwdc9ebTL6AvZPcp0KYX1m2P059jqgfEsS3Js9c41Z8sJGw ) [ ]( http://r.sigma-institute.website/mk/cl/f/wPxP5fgMHst3X63LM_gpMeZszRD3rT-PaSqB9SQeBv25c4QzjjC0OnxkLgX5gR7vy8kgw_osCu_D3ou5r8j7Ltu3-cqiWj9CpPNP5bdPDNTP0jM0lXi3bovyusodqem_mBUCBODsr2kDov4dsH2tv1uhuZcoXLRiWbpNXqRMwVazmYo3SNMtJDF9V5Sm8UA3nsY7sLoqN783nvbFyYKTiWyTMFWJt4iDVjMc_5b86_b8wNqmaPIFrlHhLz1flIt3PlTs-cvlQYZbR3Jysjhfn20xO6uMYu_Rq-9JIkVNhZSWAUbavyfRqCBfEetpG6_IWXuSCsjQnKsFa3VfycgsXIZhMM3Y3wGSNWZUwKk ) [ ]( http://r.sigma-institute.website/mk/cl/f/57YY1ctfaMzNsbwxxtCuI0zbTM4Ko6v4BfinlKy8j0RAo5bcfxPXcUqAm_3crRuUJYGHarJbV0_PDwSMsJ5TThBmA1Nm8VenPZFvSSgrzJZYTFYSW2B1O4jJH-2Dsl7bHnntDLE0FOc2ZkUx8xXov0H5sJbuYOXWG6tMMEbkpKWlILZhmo8-LoQEortB6Rv07LZBQ1DiOY3-dCpn7XJv-J-Qz_n2DKUhT8ZQB_nJ1gQk9Q7mtlJjHT0wOaVFQAfPMR-Z9Xe_ehXS1qbhAe8iXx40UV_RcLCpFI0qDytsYg7rIn2153pEN_VzTvzmiBrMBbrc-QS7N3itddeLu6xGKGoXuRwZvw ) [ ]( http://r.sigma-institute.website/mk/cl/f/h9sOJ7o_xww5Q7cverE1ZltDtspLG_FLa3qy5iLLcxCOtrz7xyysMGFlG54VxbECSkT2YSkujzfDUONMLebod2TYL9muVROtafdeRUxoepGENYQ-iMf0GklpgRcHM-YK5ogkx0UtzDQCLZJQYkPllb3djojO-OVFTnPfBVwfpXr02pdbQix8Suh88P9MSDgUH3XNK6Ha2hEMqEkt1-qnbrZpnnVMtU64ezgXKh_Hzh0VqJk2BMag85PBKxEPdpcRKit3AgGeaayKrDsh6eOjg6_2IoWqpfmJER8qle6jRhydGDlxpirFxwsQOJywBHqMeg7io-tZEh-B18fzYjTdWgLKhvyuzpIWHc6I0t8lqriyhaFC-EE-5797UpXhhvGE4UtoKXyC3C9iX5jIcoM ) [ ]( http://r.sigma-institute.website/mk/cl/f/FYUFI1H7nhTpTqauWWXK4jcXld9jUTXvonQ9T6UTzYJLWEZyI2zi_Gn3jSnZMcU7TtH48hfaq_Ot1AWVZkIQiOojdPJbCAKeHL6Gx7gYWfP2Ga9Df2xUuu2dd_YHxwd6be07BoWk06h1MxGThSMgpH0SgF7FWdvR8twOSl09FNRpuoi8UfJv1DwV6Um1NV6lMsjgSrRiRqvlW4KRewAefJ-qZiq5LVVNAFfkv38792h5psaHPCrro6RZxset3y6S21Osxt9irD7UVxlCVgmWXGPD8VzrnHLXLIbBNsAwPm27CpBvKno4LVUU42_T-KLd3E0E9XZC0y5juOjMGRELelvbodIzl4QlTQby3L2L ) [ ]( http://r.sigma-institute.website/mk/cl/f/RP_iABrYko-W8dOroI9GFnfMcwNECOnl4zZkIFO9fi2IQUOwzYGxpt8aVzg00VJMwC1JHu4Rh2qvlxha2cakuHEdPw_l1q7uqdzCSWh8u6xXvN4QgaKHHZpqnTA-1KlWJXPib7nY_jKDL9Pqwps0fpB136o1mMi2S9WCGDhVs4wjfsGBw0zjFZghon2t8Tz8gTBP2J_XoqWJ1UCRfTXT4_q-e9zUGQPYRGXawnun009VDhoTjS2ghjrmHCwZ5y_xEtSMbJnGmdAKRVih4_nj3HEnaPfMWho0L1OgjhPfBUNa4fnF9LFYKETqYi9WvuvfDqUM1RoTgKOfGTXJHqJkvaBuq8ntE-t9Ig-n )  [ ]( # )  You received this email because you are registered with Sigma Institute  [ Unsubscribe here ]( http://r.sigma-institute.website/mk/un/mcyjc2HnbCx94MGsgkDTu_F8LMZ8Prlk9KToC8S5sfn0r-gDqUfYQTgb70hF4-B64j3QedACV8BOr9-QdRZWn5u6uJRNaYDqi1pfSNsFF2ASl95zSNGhl8VO6AezgwRCtGes1xHS6YX7ETUGznhBR7r8ZEuRCW4PMGj4DTGKQOnRBo0elo0ZCjtI7jMAlKhh9Zfg3aHgnC62oJ-GfmgW51qVDaQ )  [ ]( # )  © 2020 Sigma Institute  more
Oct 31
Objectives / Linking of Aadhaar are to ensure - State MUST possess all details of all citizens residing in the country. State benefits are credited to right accounts held by bonafide citizens of the country and not infiltrators / fraudies. Genuine citizens are identified and intruders are eased out gradually. Leakages of State benefits / subventions are plugged effectively. Accurate data analysis, precise policy formulation and realistic future planning are other purposes. These objectives are sacrosanct and irrefutable. Now those who object linking of Aadhaar, have just ONE argument to bolster their dubious stand - Loss of privacy !! That's ALL. My response is - All privacy safeguard measures have been adopted. No system is perfect. There is a stringent mechanism to initiate legal action in case of illegalities committed. Benefits are enormous, as listed above. Privacy can never be supreme. Every individual right is subservient to nation's security / well-being / advancement. If there is a stray case of leakage of privacy, is it going to endanger nation's security ? Hardly any / Not at all. If privacy of a known personality is leaked, it is more or less immaterial because public personalities are not supposed to have any privacy at all. They live and die in public domain. If privacy of some private / unknown person, say some Karimullah of Karimnagar district is leaked out, who is interested in those details ? How does that affect him or the State / country / Government ? Who the hell is interested in knowing whether he observed Namaz 5 times yesterday or not !!!! Beneficiaries of State subventions, mostly from poor segments of society, are hardly bothered about any such leakage because their privacy is not a precious asset for them at all. Their privacy is an asset for traitors / looters of the nation who wish to transform that into a Conflict-Issue, to stall steep rise in popularity of Modi Government owing to precise effectiveness of Government's economic policies. I am angry because these traitors and dacoits want to spook a very brilliant / visionary economic move undertaken by the Government in nation's history. Opponents of Aadhaar are out and out ENEMIES OF THE NATION. They should be treated the way traitors are treated under legal provisions. more
Aug 01
Everything in the world can be breached. Constitution has been breached so many times so damn the Constitution !! Who is saying Aadhaar cannot be breached ? That is no argument at all. For the fear of breach, country cannot be allowed to be looted by Congress and Communists anymore through leakages. The article is a waste of time and space. Even if it is breached, who is interested in knowing colour of your eyes, height....will investigative agencies sit silent once it is breached ? Do not misguide innocent millions. What is the intention behind this article ? more
Aug 01
Agree..privacy is a concern while linking Aadhar with bank a/c, cell no, PAN etc However, we feel it is safe to share such info with BJP Govt at centre...if there was a corrupt Congress at centre, we would be extremely scared to share such sensitive info..I'm sure BJP will live up to the trust we have reposed in them.. more
Jul 31
Ruchika, You have explained the issue very well. Public availability of biometrics is not as much an issue as this information being misused for authentication of a financial transaction (your example) in the absence of the concerned individual - one can loose all the money in a bank account etc. if this use of biometric information is made legal! Unfortunately, some of us continue to see this through the narrow viewpoint of politics / without understanding what you have pointed out .... one can see you did not have any such intentions in explaining the issues patiently. The first three paragraphs in your post very well explain the reasons for the concern ... wish people (who have not understood what you are trying to explain) would at least read these paras patiently again. Insider attack is a concern. Try once more to explain this in simpler worded examples, if possible. Appreciate the explanation. more
Jul 31
