The Unique Identification Authority of India (UIDAI) has had a terrible 2018 so far, as numerous issues have been reported in its Aadhaar system designed to ID 1.3 billion citizens across the country. And yet, it seems keen to tack on more features as if nothing has happened.
Earlier this month, a local paper reported that it was possible to purchase any registered citizen’s Aadhaar data (which includes their name, address, and date of birth, among other details) by contacting an agent and paying them Rs. 500 ($8).
Subsequently, French security researcher Robert Baptiste highlighted problems with the official mAadhaar Android app, which lets you display a digital version of your ID card on your phone. Baptiste, aka Elliot Alderson aka @fs0c131y, noted that poor security protocol could allow an attacker in possession of your phone to bypass the password protection in mAadhaar and access your private identity information.
— Elliot Alderson (@fs0c131y) January 10, 2018
Over the weekend, he claims to have spotted something even more curious: a test app published on Google Play by the UIDAI, with no information about what the app does – but with a link to wferr.com in the developer listing. The site appears to be owned by a developer who has a presence on Twitter and GitHub, but claims to have no association with the Indian government agency.
— Elliot Alderson (@fs0c131y) January 14, 2018
To be fair, if @fs0c131y’s recent tweets are true, the last incident isn’t a security risk on its own, but it signals shoddy handling of a major public account owned by the UIDAI. It calls into question the capabilities of the developers behind the software being used to ID one of the world’s largest populations.
And before it’s managed to address any of these issues, the UIDAI is busy introducing new features to its Aadhaar program.
The first is the Virtual ID, a 16-digit number that you can give out to companies and service providers in lieu of your 12-digit Aadhaar number, so they can grab the details they need about you from the Aadhaar database.
The next is a Face Authentication mechanism that will negate the need for fingerprints, so as to help the elderly and any other people who have trouble using their hands for biometric authentication. The feature will roll out in July.
@UIDAI introduces yet another landmark technology for authentication – Face Authentication. #AadhaarFaceAuth will help all elderly or others facing issues with fingerprint authentication. Service to be launched by 1 July 2018.
— CEO UIDAI (@ceo_uidai) January 15, 2018
That’s all well and good, but the UIDAI would do well to first quell people’s fears about the lack of security around Aadhaar’s various endpoints, and audit its internal processes and software development practices to ensure that its data and apps are truly world-class.
That would negate the need for PR moves like this piece by RS Sharma (Chairman, Telecom Regulatory Authority of India and former Director General, UIDAI) that labels critique of the Aadhaar program as a ‘campaign’ to discredit it.
Is that too much to ask from the world’s first online ID system?