India wants to add features to Aadhaar even before it can fix what’s broken

India wants to add features to Aadhaar even before it can fix what’s broken

The Unique Identification Authority of India (UIDAI) has had a terrible 2018 so far, as numerous issues have been reported in its Aadhaar system designed to ID 1.3 billion citizens across the country. And yet, it seems keen to tack on more features as if nothing has happened.

Earlier this month, a local paper reported that it was possible to purchase any registered citizen’s Aadhaar data (which includes their name, address, and date of birth, among other details) by contacting an agent and paying them Rs. 500 ($8).

Subsequently, French security researcher Robert Baptiste highlighted problems with the official mAadhaar Android app, which lets you display a digital version of your ID card on your phone. Baptiste, aka Elliot Alderson aka @fs0c131y, noted that poor security protocol could allow an attacker in possession of your phone to bypass the password protection in mAadhaar and access your private identity information.

Over the weekend, he claims to have spotted something even more curious: a test app published on Google Play by the UIDAI, with no information about what the app does – but with a link to in the developer listing. The site appears to be owned by a developer who has a presence on Twitter and GitHub, but claims to have no association with the Indian government agency.

To be fair, if @fs0c131y’s recent tweets are true, the last incident isn’t a security risk on its own, but it signals shoddy handling of a major public account owned by the UIDAI. It calls into question the capabilities of the developers behind the software being used to ID one of the world’s largest populations.

And before it’s managed to address any of these issues, the UIDAI is busy introducing new features to its Aadhaar program.

The first is the Virtual ID, a 16-digit number that you can give out to companies and service providers in lieu of your 12-digit Aadhaar number, so they can grab the details they need about you from the Aadhaar database.

The next is a Face Authentication mechanism that will negate the need for fingerprints, so as to help the elderly and any other people who have trouble using their hands for biometric authentication. The feature will roll out in July.

That’s all well and good, but the UIDAI would do well to first quell people’s fears about the lack of security around Aadhaar’s various endpoints, and audit its internal processes and software development practices to ensure that its data and apps are truly world-class.

That would negate the need for PR moves like this piece by RS Sharma (Chairman, Telecom Regulatory Authority of India and former Director General, UIDAI) that labels critique of the Aadhaar program as a ‘campaign’ to discredit it.

Is that too much to ask from the world’s first online ID system?

Read next: The Ethereum Scam Database helps you avoid cryptocurrency scammers