Want Anybody's Personal Details From Aadhaar, India's Billion-Person Identity Database? Yours For $8
from the Aadhaar-admin-accounts-also-available-on-request dept
We've been writing about the world's largest biometric database, India's Aadhaar, since July 2015. Over 1.1 billion people have now been enrolled, and assigned an Aadhaar number and card, which represents 99.9% of India's adult population. There are currently around 40 million authentications every day, a number that will rise as Aadhaar becomes inescapable for every aspect of daily life in India, assuming it survives legal challenges. That scale necessarily entails a huge infrastructure to handle enrollment and authentication. So it will comes as no surprise to Techdirt readers that it turns out you can obtain unauthorized access to the Aadhaar system very easily, and for very little cost. As the Indian newspaper The Tribune revealed:
It took just Rs 500 [about $8], paid through Paytm [an Indian online payment system], and 10 minutes in which an "agent" of the group running the racket created a "gateway" for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.
What is more, The Tribune team paid another Rs 300 [$4.75], for which the agent provided "software" that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.
Given the repeated assurances by the UIDAI that the Aadhaar database was completely secure, this is big news, and led to some breathless damage limitation by the Indian authorities on Twitter. The UIDAI explained that: "Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details"; and: "There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometric". Although it may be true that this is not a biometric data breach, it nonetheless reveals a serious vulnerability in the system's design, and on a vast scale. According to the original article in The Tribune, more than 100,000 "village-level enterprise operators", hired to help with Aadhaar enrollment, have been offering this kind of unauthorized access to the database. In fact, the problem seems to be even more serious than simply providing login credentials to thousands of people. Here's what another Indian site discovered:
Following up on an investigation by The Tribune, The Quint found that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that's not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters -- the Aadhaar database won't ask.
Even if biometric data is not involved, it's hard to see how UIDAI could claim that these aren't breaches of the database, or deny that the entire Aadhaar system is seriously compromised. It's almost inevitable that the security of an important database system will be defeated eventually in some way, since the rewards are by definition so high. The fundamental problem with Aadhaar is its underlying intent -- to create a single, giant database with key personal information about a billion people that can be accessed very frequently and very widely. That's never going to be safe, as the inevitable future breaches will confirm.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: aadhaar, database, hacked, id, identity, india, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
*grabs popcorn*
This is going to be an interesting shit show.
[ link to this | view in thread ]
[ link to this | view in thread ]
It is completely secure...when it's completely shut off.
[ link to this | view in thread ]
Apparently they outsourced their tech support...
[ link to this | view in thread ]
Weakest link :)
[ link to this | view in thread ]
They Want to Jail The Reporter
Methinks someone at the UIDAI is embarrassed right now.
[ link to this | view in thread ]
Re: They Want to Jail The Reporter
[ link to this | view in thread ]
Some official with an authorized access to a customer grievance portal allowed someone to lookup for name and address for a given aadhar number. Do you share your SSN? If others don't have your aadhar they can't lookup your details. Its funny how people interpret this as a compromise of UIDAI system.
[ link to this | view in thread ]
Re:
They are going after the reporter for other unrelated reasons I'm sure
/s
[ link to this | view in thread ]
Google has more for free
[ link to this | view in thread ]
Re: Re: They Want to Jail The Reporter
[ link to this | view in thread ]
Six Degrees of Separation
I think it is time to give this Six Degrees of Separation thing a trial. All the admins make everyone they know an admin and let's see if we can get the whole planet signed up.
Can admins demote other admins? If they can, then bonus points if we can lock all of the proper admins out.
[ link to this | view in thread ]
As predicted ....
https://www.no2id.net/wp-content/uploads/2013/12/database-man.pdf
https://www.no2id.net/wp-conten t/uploads/2013/12/takejane-
After an extended narional campaign, we got the UK scheme stopped. Thank goodness.
[ link to this | view in thread ]