Bad Aadhaar cybersecurity tramples on the Right to Privacy
In a landmark ruling last August, the Right to Privacy became the seventh Fundamental Right guaranteed by the Constitution of India.
- Feb 11, 2018,
- Updated Feb 20, 2018 4:18 PM IST
In a landmark ruling last August, the Right to Privacy became the seventh Fundamental Right guaranteed by the Constitution of India. Before the ink was dry on the decision, observers such as myself wondered how the new Aadhaar biometric identification system could possibly be recalibrated to align with it.
In fact, Aadhaar had been central to the discussion about privacy that led to the ruling, as had the Facebook-owned WhatsApp messenger. As Additional Solicitor-General P.S. Narasimha told the Supreme Court in July, "My individual personal data is intimate to me. It is an integral part of my right to lead a life with dignity." By then, over a billion Indian residents had given their most individually-identifying information to government agency UIDAI.
Those who worried about WhatsApp and Aadhaar at the time were on the right track, but they could not have known the full depths of the problem. Who would have guessed that anyone's Aadhaar data would soon be bought and sold cheaply over WhatsApp? Last year, there were signs that Aadhaar data was being mishandled, and not necessarily by UIDAI. Parallel databases that stored Aadhaar data and used it for identification were recklessly publishing information.
It's well-known that UIDAI doesn't own up to its mistakes, instead threatening reporters who reveal vulnerabilities. UIDAI's web-based portal still has major problems, and it was just revealed this week that any administrator can give anyone else in the world full access to the database backend, often for a price. Not only are a variety of questionable third-party apps available through Google Play that request Aadhaar data, but UIDAI's official mAadhaar app has serious problems.
In an effort to understand these issues more thoroughly, I contacted Baptiste Robert, a French security researcher who goes by the Mr. Robot-inspired pseudonym - Elliot Alderson. Though Baptiste's work exposing scary flaws in the mAadhaar app has prompted no official response, it has caught the attention of cyber- security superstars like Edward Snowden and Troy Hunt.
As Baptiste said in an e-mail, "UIDAI didn't contact me. The app is still not updated. Regarding how they used the Play store, I'm pretty sure they lost the release keys and so are unable to update the app."
Such incompetency by UIDAI is plausible, given the basic mistakes made in the mAadhaar app's design. Mobile apps are notoriously difficult to secure, and my own digging into app privacy continues to remind me that even 'anonymised' or 'masked' information may identify individuals when databases are correlated. mAadhaar sidesteps this issue with a bizarre twist: the local
In a landmark ruling last August, the Right to Privacy became the seventh Fundamental Right guaranteed by the Constitution of India. Before the ink was dry on the decision, observers such as myself wondered how the new Aadhaar biometric identification system could possibly be recalibrated to align with it.
In fact, Aadhaar had been central to the discussion about privacy that led to the ruling, as had the Facebook-owned WhatsApp messenger. As Additional Solicitor-General P.S. Narasimha told the Supreme Court in July, "My individual personal data is intimate to me. It is an integral part of my right to lead a life with dignity." By then, over a billion Indian residents had given their most individually-identifying information to government agency UIDAI.
Those who worried about WhatsApp and Aadhaar at the time were on the right track, but they could not have known the full depths of the problem. Who would have guessed that anyone's Aadhaar data would soon be bought and sold cheaply over WhatsApp? Last year, there were signs that Aadhaar data was being mishandled, and not necessarily by UIDAI. Parallel databases that stored Aadhaar data and used it for identification were recklessly publishing information.
It's well-known that UIDAI doesn't own up to its mistakes, instead threatening reporters who reveal vulnerabilities. UIDAI's web-based portal still has major problems, and it was just revealed this week that any administrator can give anyone else in the world full access to the database backend, often for a price. Not only are a variety of questionable third-party apps available through Google Play that request Aadhaar data, but UIDAI's official mAadhaar app has serious problems.
In an effort to understand these issues more thoroughly, I contacted Baptiste Robert, a French security researcher who goes by the Mr. Robot-inspired pseudonym - Elliot Alderson. Though Baptiste's work exposing scary flaws in the mAadhaar app has prompted no official response, it has caught the attention of cyber- security superstars like Edward Snowden and Troy Hunt.
As Baptiste said in an e-mail, "UIDAI didn't contact me. The app is still not updated. Regarding how they used the Play store, I'm pretty sure they lost the release keys and so are unable to update the app."
Such incompetency by UIDAI is plausible, given the basic mistakes made in the mAadhaar app's design. Mobile apps are notoriously difficult to secure, and my own digging into app privacy continues to remind me that even 'anonymised' or 'masked' information may identify individuals when databases are correlated. mAadhaar sidesteps this issue with a bizarre twist: the local