Aadhar and the security concerns
There has been a lot of chatter around Aadhar. The voices have been disparate and haphazard. The most amusing part of all these discussions is that I am yet to see a post that uniquely tries to identify where the loopholes might be. Most of the anti-Aadhar and security concerns look like scaremongering or at best conspiracy theories. But the question still stands, is Aadhar susceptible to misuse?
As any self-respecting hacker would say, everything is insecure. The question is how difficult have you made it to exploit the vulnerability. How accessible are these flaws for exploitation? What is the cost of breaking the law and what is the benefit of going to that quanta of trouble. Lets us try and analyze the conundrum on these principles.
What is the penalty of impersonation and how well does the state look at identity fraud?
Identity fraud in India is still nascent. In a low per capita income country, the benefits of identity fraud are not very high. Hence identity fraud has not become a major headache. But as India’s per capita grows, this will become incentive enough. There is a penalty by law, but in a country this populous one does tend to think, what is the value that law enforcement will give to identity fraud? As the SSN impersonation is taken seriously in the USA. Will India be able to do the same? Is the cyber wings of our law enforcement capable enough? When the NIC does not care enough to enable HTTPS on sites and services accessing Aadhar data, how much can we trust these agencies?
What is the current infrastructure and environment on the data security architecture?
For a country that boasts of significant IT presence, the competence of our government in these areas is still under question. Have a look at all the PDFs and Excels galore on government websites that have not had the decency to depersonalize data like date of birth etc. Incidents like Zomato hack do raise a lot of eyebrows but do not trigger a governmental action against the lackadaisical approach towards data security. Companies are allowed to data mine without repercussions. In an environment where the government is as clueless as ours, what is the confidence that one can have that the policies and safeguards are serious enough.
What are the ways one can exploit the data?
As per security, a system is as strong as its weakest link. UIDAI might have an impressive array of security measures against a hack (Let’s accept that as a supposition, though the hacker in me demurs!). How secure are the places that access this database.
The hack on the NIC showed how secure the governmental infrastructure is that accesses this data. I would also be interested to know other than the HTTP hack, how good the architecture of NIC is vis-a-vis de-personalization, masking and encryption. Jargons do not create security. Its their implementation and constant upkeep against newer hacks is what makes them secure.
Take for example the KYC’s for obtaining a sim card. People have commented that these are secure areas as a standard hardware connects to the UIDAI database through all the correct jargony layers. That is where the problem arises. Every tiny shop that uses a device to access this data is suspect. What we forget is there is something called a ‘Man in The Middle attack’! To explain the jargon, what prevents these SIM distributors to put an adapter (IT jargon) in between the fingerprint recognition device and the app that connects to the UIDAI database. What prevents them from storing the data packets being sent to the UIDAI database? The only thing deterring them now is the low availability of such programmers and the relative use of such data after acquisition. Will that always be the case? Is it the same case if the data being gathered is for people related to sensitive installations of our country?
I am not scaremongering but trying to understand myself too.
Should we go back?
Now that is the million dollar question. In my humble opinion, NO. Every system can be hacked. Every system can be bought down to its knees. The only question is how big a price we put to the person who is ready to do that? How easy its is to game the system?
In my humble view, Aadhar system was a much needed administrative reform for this country. Outside my scope to talk about that. However, irrespective of its flaws, we need to talk about how we need to make it securer. How we can put a premium of data privacy. The current discourse has been on partisan lines. I hate Aadhar. I like Aadhar. We need to understand that it is a necessity. And it has security flaws and serious ones at that. The need of the hour is to accept that and work on mechanisms to ensure that India is not breached.
The borders are not only geographical now. They have reached our computers. It is a need of the hour that our data is given the same sanctity that we give to our borders.
Technology Guy With A penchant for the Esoteric