Fingerprints: Aadhaar’s key of choice too ubiquitous to be safe
NEWDELHI: The widespread and largely unsupervised use of biometrics for everything from accessing university classrooms to identifying sea-faring fishermen along India’s coasts has resulted in the proliferation of public and private databases that could compromise the integrity of India’s Aadhaar-based authentication system.
“Ordinarily, the existence of these biometric databases would not scare me,” said Subhashis Banerjee, Professor of Computer Science Engineering at IIT Delhi. “But given the UIDAI uses biometrics for authorising transactions, these databases are a risk.”
In effect, the real database problem for Aadhaar is not as much with its database but with these other databases.
The Unique Identification Authority of India (UIDAI), the agency responsible for the Aadhaar programme, did not respond to HT’s request for comment.
Earlier this month, the Tribune reported that Aadhaar numbers and demographic information could be purchased for as little as ₹500.
The UIDAI insisted that the biometrics of over 1 billion citizens were secure in the Central Identities Data Repository (CIDR) maintained by the agency.
That’s true, but the existence of independent biometric databases means the information the UIDAI holds under lock and key is also scattered amongst scores of government departments, many of whom have little conception of data security.
Repeated government directives to seed databases with Aadhaar numbers has only worsened this threat, two senior IT administrators said. This is because any biometric database that seeds Aadhaar numbers, by default, has the same information as UIDAI’s CIDR for those particular Aadhaar numbers.
Thus far, there have been no public reports of hackers stealing Indian biometric stashes, but in 2015 hackers believed to have ties with Chinese security agencies stole 5.6 million fingerprints from the servers of the Office of Personnel Management, the human resource department of the US government.
50 MILLION PRINTS
From 2012 to 2016, the Employees State Insurance Corporation (ESIC) of India gathered 50 million biometric records to issue identity cards for workers and their family members, according to project documents reviewed by HT.
The ESIC then switched to Aadhaar-based authentication, and had linked 10 million Aadhaar numbers to their insurance database by 31 July 2017, according to a reply to a Lok Sabha question.
This means a server in the ESIC office on Delhi’s outskirts, and its backup in Hyderabad, hold a database that integrates Aadhaar numbers with biometrics and demographic details, effectively mirroring a portion of the UIDAI’s top secret CIDR.
In an interview, Mr. Sanjay Sinha, Additional Commissioner at the ESIC, said the database was safe, and encrypted. But databases must be continuously upgraded to stay secure. The ESIC system was built by Wipro in February 2009 under a five-year agreement to maintain it.
When the agreement expired in 2014, ESIC signed a maintenance contract with Railtel Corporation of India, a subsidiary of the Indian Railways, Mr. Sinha said. This means the corporation no longer receives security upgrades from Wipro, and relies on Railtel to secure a system they haven’t built.
DATABASES GALORE
The ESIC is not the only organisation to unwittingly build a slice of the CIDR.
Gujarat’s ration card project captured the biometrics of 7 million residents. This database is being seeded with Aadhaar numbers as well, a senior IT official in the state said, implying that the Gujarat government has their own abbreviated version of the UIDAI’s CIDR as well.
Meanwhile, the fingerprints of 2.1 million coastal fishermen are stored in the “National Marine Fishers Database” built by a consortium of public sector companies.
“The enumeration of fisherman by conducting many number of camps in fishing villages has been completed,” a spokesperson for Bharat Electronics Limited, the consortium leader said, “The data collected has been converted to smart cards and issued to fishermen through state authorities.”
BEL did not explain how the information was stored, but a 2012 order by the Central Information Commission notes that the data is the “proprietary information of the Registrar General” and that these “PSUs will take all care to safeguard the confidentiality of this information.”
These 2.1 million fingerprints would probably be held by the Department of Animal Husbandry, Dairying and Fisheries, an official said.
“Who knows what they know about data security,” the official observed, seeking anonymity as the matter is deemed too sensitive to discuss with the press.
FROM DATABASE TO FINGERPRINT
Biometrics are protected by encryption and by condensing fingerprints into templates obtained by using software to extract unique features of a given print.
But encrypted data needs decryption keys, which may be leaked if a database is accessed by multiple users.
Templates do not offer total security either.
“There was a misconception that a template cannot be inverted, but that is not true anymore,” said Anil Jain, Professor at the Department of Computer Science and Engineering at Michigan State University. “It is possible to use a template to reconstruct a fingerprint to a high degree of accuracy.”
The reconstructed fingerprint, Prof. Jain has shown, can be used to build spoof finger-prints that fool most biometric readers.
Meanwhile the ESIC continues to sit on its enormous archive of fingerprints. “We can’t just delete the data,” said an ESIC official. “That will happen as and when we get the appropriate orders.”