AADHAAR COULD BE A SINGLE TARGET FOR CYBER CRIMINALS
AADHAAR
The benefits of Aadhaar, India’s biometrics-based unique national identity system–the world’s largest–are unclear and the impact of direct benefit transfers it will be used to deliver to the poor is not studied enough, a new study published by an arm of the Reserve Bank of India (RBI) has concluded.
The paper, ‘Biometric and Its Impact in India’, was a part of Staff Papers series published in its October 2017 edition. It is written by S Ananth, an adjunct faculty at the Institute for Development and Research in Banking Technology (IDRBT), which was established by the RBI as an autonomous institute.
Aadhaar is becoming central to India’s public policy with increasing number of programmes being linked to it. And its scope is constantly increasing. In the seven years following its introduction, 1.12 billion Indians or 88.2% of the population have enrolled for Aadhaar, IndiaSpend reported in March 2017.
LINKING OF AADHAAR
Established by Unique Identification Authority of India (UIDAI) under Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, Aadhaar is now used for direct benefit transfers as well as the distribution of foodgrains and essential commodities–under the public distribution system (PDS)–by the state. It includes various payments linked through the Aadhaar-enabled payment system.
The Supreme Court has extended the deadline of linking of Aadhaar with various welfare schemes up to March 31, 2018.
The paper has flagged issues related to Aadhaar such as problems of access to the last mile, issues with the quality of authentication, unclear financial benefits and security concerns and said there needs to be caution in the manner in which the government is linking more economic programmes and activities with Aadhaar.
Ever since its inception, Aadhaar has been caught in various debates, especially over the issue of the citizen’s right to privacy and threat of information leak. The latest of these controversies is an investigative story reported in The Tribune on January 3, 2018. It alleged that unrestricted access to details of over one billion Aadhaar numbers can be purchased at as little as Rs 500.
By paying Rs 300 more, the details of any Aadhaar card can be printed, the report said. “..[It] is a major security breach,” the deputy director of UIDAI regional officer Chandigarh was quoted to have said.
Although there is news of compromise of the AADHAAR data we have not heard any action initiated against the person who shares these data and also the action initiated to secure the system further to avoid such recurrence in future. Instead, we are hearing the only message to deny such happening.
‘Could be a single target for cybercriminals’
The protection of the data under its control is a major challenge for the UIDAI. “Thanks to Aadhaar, for the first time in the history of India, there is now a readily available single target for cybercriminals as well as India’s external enemies,” the paper said. Any attack on UIDAI data can cripple Indian businesses and administration and would result in a huge loss to the country’s economy and the privacy of its citizens.
Also, since Aadhaar is required for a number of transactions, it is available in the database of a large number of service providers and any breach can compromise the information contained in it. The UIDAI allows private players to build an ecosystem–that is, services and applications–around Aadhaar, which raises questions about the security of the database.
In December 2017, the UIDAI barred Bharti Airtel and Airtel Payment Bank from opening new accounts. It was found that Airtel used the Aadhaar-based verification to open payment bank accounts of their customers without their informed consent. There are allegations that these accounts were linked to receive LPG subsidy. No penal action was taken by the UIDAI for the violation of the Aadhaar Bill.
The paper calls for a more robust and comprehensive law on the use and misuse of the massive amount of data being generated and collected.
The action against Bharti Airtel and Airtel Payment bank is not commensurate with the crime committed by them. Further, we do not know whether the system has been stabilized to avoid such happening in future is also not known.
Problems with last-mile reach
Financial inclusion was one of the goals of Aadhaar since its inception, but a biometric solution tends to be long on promise and short on delivery, according to Ananth.
The paper has cited the example of unspanided Andhra Pradesh to prove this. This was one of the first states to embark on a massive modernization programme for its administrative apparatus by creating various databases that mapped public schemes.
It began in 2002 and by 2014, the state had mapped self-help groups, the National Rural Employment Guarantee Scheme, pensions, student scholarships, disability benefits, health insurance and so on.
But the growing emphasis on the use of Aadhaar as a compulsory ‘know your customer’ (KYC) norm is emerging as an obstacle in banking access for those who had registered with the earlier system in Andhra Pradesh, the report found.
In Kurnool district of Andhra Pradesh, those who opened accounts between 2010 and 2013 are now having problems of access, according to bank correspondents (agents who provide banking services in underbanked areas). Banks have blocked access to those who have not submitted their Aadhaar numbers.
This lack of access has inconvenienced customers who need an account for various direct benefit transfers (DBT). In the case of accounts closed by banks due to non-linking with Aadhaar, money has returned to government agencies. The customer then has to open a new bank account in another bank and then run to various government offices to change their bank account number registered under the scheme.
“Problems with the withdrawal of money at a time when it is needed the most either due to non-working channels or problems with KYC compliance has convinced people that the best place for their money in their pocket or at home under the mattress,” the paper noted.
Also, there is one significant disparity between financial inclusion accounts–zero balance accounts opened for inspaniduals who didn’t have a bank account–and ordinary bank accounts. Customers with financial inclusion accounts are not allowed access to their accounts from non-home branches, but regular accounts are.
Contradicting cost-benefit analyses
There are contradicting cost-benefit analyses about Aadhaar, the paper stated. The government, in a paper put out by the National Institute of Public Finance and Policy, claims that till date it has saved about Rs 146.720 billion using Aadhaar through DBT schemes. But a Canadian non-profit, International Institute of Sustainable Development, has claimed that the government has incurred a loss of Rs 970 million.
Does the change in the system of subsidy delivery–from the current practice of providing tangible commodities and services to cash transfers–actually benefit the poor? There are no clear answers, said the paper. It may inconvenience public distribution system beneficiaries and “the long-term benefits of DBT on the poor (sic) are as yet largely unstudied (sic) and most of the expectations are based on theoretical assumptions”, the paper said.
Biometric authentication: The problem of quality
The Aadhaar Act allows the government to establish the citizen’s identity as a condition for the delivery of subsidies, benefits or services. In such cases, biometric authentication allows the government to reach genuine beneficiaries.
But for this, the biometric authentication system has to be flawless which is not the case in India currently. Failures in biometric authentication between January and June 2017 have fallen by half–from 7.14% to 3.56%, according to Andhra Pradesh’s UID data. However, there was also a 61% fall in the number of authentications in June as compared to January.
Aadhaar allows a beneficiary to access benefits like PDS in any location irrespective of where he is registered. But a high failure rate was detected in this provision in districts with high levels of migration.
Authentications and failures were found to be the highest when a large number of people–migrants and non-migrants–were present in the village. These flaws in the biometric system raised the question if a government can provide benefits to citizens irrespective of where his/her Aadhaar was registered.
“There is no way of cross verifying the quality of biometrics stored, especially by the person who has enrolled,” the study noted.
In a worst-case scenario, a flawed biometric authentication system can lead to ‘identity denials’–wherein a person can be denied the fact that they are who they are, the paper said.
Even assuming that only 5% of Indians are denied government benefits due to issues with Aadhaar, we are still looking at 50 million citizens, said the paper. That is more than the population of many European countries. “Does it mean this exclusion of a small minority is condonable in a democratic society?” the author has asked.`
Virtual ID
Virtual ID
In a bid to address privacy concerns, the UIDAI on Wednesday introduced a new concept of 'Virtual ID' which Aadhaar-card holder can generate from its website and give for various purposes, including SIM verification, instead of sharing the actual 12-digit biometric ID.This will give the users the option of not sharing their Aadhaar number at the time of authentication.
The Virtual ID, which would be a random 16-digit number, together with biometrics of the user would give any authorized agency like a mobile company, limited details like name, address, and photograph, which are enough for any verification. Officials said a user can generate as many Virtual IDs as he or she wants. The older ID gets automatically canceled once a fresh one is generated. The Unique Identification Authority of India (UIDAI) has also introduced the concept of 'limited KYC' under which it will only provide need-based or limited details of a user to an authorized agency that is providing a particular service, say, a telco. The Virtual ID will be a temporary and revocable 16 digit random number mapped to a person's Aadhaar number and the Aadhaar-issuing body will start accepting it from 1 March 2018. From 1 June 2018, it will be compulsory for all agencies that undertake authentication to accept the Virtual ID from their users.
Representational image. Courtesy- News18
Agencies that do not migrate to the new system to offer this additional option to their users by the stipulated deadline will face financial disincentives. "Aadhaar number holder can use the Virtual ID in lieu of Aadhaar number whenever authentication or KYC services are performed. Authentication may be performed using the Virtual ID in a manner similar to using Aadhaar number," a UIDAI circular said. The move aims to strengthen the privacy and security of Aadhaar data and comes amid heightened concerns around the collection and storage of personal and demographic data of individuals. Users can go to the UIDAI website to generate their virtual ID which will be valid for a defined period of time, or till the user decides to change it. They can give this Virtual ID to service agencies along with the fingerprint at the time of authentication. Since the system generated Virtual ID will be mapped to an individual's Aadhaar number itself at the back end, it will do away with the need for the user to share Aadhaar number for authentication. It will also reduce the collection of Aadhaar numbers by various agencies. As per the UIDAI, agencies that undertake authentication would not be allowed to generate the Virtual ID on behalf of Aadhaar holder. The UIDAI is instructing all agencies using its authentication and eKYC services to ensure Aadhaar holders can provide the 16-digit Virtual ID instead of Aadhaar number within their application. As many as 119 crores biometric identifiers have been issued so far and Aadhaar is required as an identity proof of residents by various government and non-government entities.
For instance, the government has made it mandatory for verifying bank account and PAN to weed out black money and bring unaccounted wealth to book. The same for SIM has been mandated to establish the identity of mobile phone users.
Conclusion:
The Aadhaar is very good scheme to identify the people and ensure that all the benefit will reach to needy without the intervention of middlemen. However, the following issues are not yet addressed
1. The biometric system needs to be improved to protect against misuse of data.
2. Since it is linked to various other servers such as Income Tax, Public Distribution System. Mobile operations, Payment banks, Banks and Financial institutions, whether these systems have necessary control to protect the data of common men. Any Audit system prevails and what action will be initiated against errant.
3. The common men do not have any platform to know what are the services are linked to Aadhaar. There should be dashboard required for this purpose.
4. All the Aadhaar updates required only one authorization mode such as OTP. We need to find a second stage authorization for the AAdhaar to make it more secured.
Based on the article in business standard http://www.business-standard.com/article/economy-policy/rbi-researchers-say-attack-on-aadhaar-can-cripple-economy-doubt-its-pros-118010900158_1.html
