News

India’s biometric database is a massive achievement and a dystopian nightmare

Seven years ago nearly 400 million people in India did not exist in the eyes of the government. They were “ghosts” who had no identity and no way of getting one, says Sahil Kini, one of the architects of India’s controversial Aadhaar database. In a country trying to modernize on the fly and take its place among the world’s superpowers, this massive yet unknown population presented a huge problem.

So the Indian government set out on an ambitious course to build Aadhaar, the world’s largest biometric database, which would not only allow these people to participate more fully in society but also become a shining beacon of technological achievement for the rest of the world.

Videos by VICE

“What’s forgotten is that before Aadhaar was built there were 400 million people in India that did not have any form of identity; they were ghosts in the system,” Kini told VICE News. “So if you had to give them any kind of subsidy, you couldn’t, because they didn’t exist on paper.”

But as the database grew to include almost all of India’s 1.3 billion citizens, cracks began to appear, and in recent months those cracks have become chasms. Now more and more Indians say they worry that what the government actually created in Aadhaar is an all-seeing surveillance apparatus that has serious holes in its security and can be used to monitor all aspects of their lives.

India’s Supreme Court seems to agree, and its landmark ruling in August could derail the country’s crowning technological achievement. The court’s declaration that all citizens have a fundamental right to privacy presents a serious problem for India’s government, which has pushed aggressively to make enrollment in Aadhaar mandatory for most everyday services — including filing tax returns, buying a phone, and obtaining a passport.

A villager goes through the process of a fingerprint scanner during Unique Identification (UID) database system in the Pathancheru village, in Medak district of the southern Indian state of Andhra Pradesh April 27, 2010. ps the biggest challenge is smudged fingerprints. REUTERS/Krishnendu Halder

“What is emerging is that [Aadhaar] is being used to create a panopticon, a centralized database that’s linked to every aspect of our lives — finances, travel, birth, deaths, marriage, education, employment, health, etc.,” Reetika Khera, an Indian economist and social scientist, told VICE News.

Security concerns have plagued the system for years, but in recent weeks criticism has grown deafeningly loud. Earlier this month, as part of the Supreme Court case on privacy, an activist’s freedom of information request suggested that foreign firms were being given “full access” to the classified data — including fingerprints and iris scans.

The Unique Identification Authority of India (UIDAI), the agency that administers the system, strongly denied these claims, as it has done routinely in the face of criticism.

“UIDAI, once and for all, wants to reassure that Aadhaar data is fully safe and secure and UIDAI data center has robust uncompromised security 24x7x365,” a UIDAI spokesman told the Times of India Wednesday.

When contacted by VICE News, the UIDAI said its CEO, Dr. Ajay Bhushan Pandey, was too busy to answer any further questions about the security issues, and they didn’t respond to emailed questions.

“What is emerging is that [Aadhaar] is being used to create a panopticon.”

The rise in public angst can be directly tied to Aadhaar’s expanded presence in the upper classes of Indian society. Far from its humble beginnings helping India’s vulnerable access badly needed government benefits, Aadhaar now touches nearly all aspect of society — applying for a passport, voting, opening a bank account, purchasing a car. The system now also registers your death.

“The reason why Aadhaar is now becoming an issue in the national media — and internationally, too — is because the problems with it are now affecting urban, educated, middle- and upper-class Indians,” Khera said.

“A turbocharged Social Security number”

Launched in 2009, Aadhaar is a unique 12-digit number issued to each Indian citizen. Its creator, Nandan Nilekani, an Indian billionaire and former CEO of IT services giant Infosys, describes it as a “turbocharged version of the Social Security number.”

The number is linked to a citizen’s most personal information: name, address, date of birth, gender, as well as biometric information like fingerprints and iris scans. When signing up for a new bank account, for example, citizens typically now scan their fingerprint in order to verify their identity rather than showing an ID card or passport.

The government continues to claim that enrolling in the system is not mandatory, but increasingly, if you want do anything in India, you need to be registered with Aadhaar.

Villagers crowd inside an enrolment centre for the Unique Identification (UID) database system at Merta district in the desert Indian state of Rajasthan February 21, 2013.

“Aadhaar today is the hallmark of a confluence of interests of the state and the private sector which take away control from individuals and erode their liberty to make choices,” Apar Gupta, founder of the Internet Freedom Foundation, told VICE News. “It is building a massive surveillance apparatus in India that cuts against the grain of its democratic moorings.”

The latest new development has been the government’s willingness to grant private companies greater access to the system. Microsoft, for example, already taps into the database to confirm the identity of people using a version of Skype designed specifically for the Indian market. And Airbnb confirmed to VICE News that it is looking into Aadhaar as a potential option for verifying hosts. For now the company said it is testing the system with “a limited universe of hosts.” Uber also has been linked to the system, though when reached for comment, the company declined to provide any insights one way or the other.

Critics say this new phase of the system will allow the government an even greater ability to spy on its citizens and let private companies profit off valuable personal information. The government denies it has any access to the information held by these private companies, but the deals signed between the two parties have not been made public.

The database will be hacked

The Indian government has been slow to alleviate the concerns of activists and security experts who claim the system is vulnerable to cyberattacks. It has not allowed an independent audit of the security systems to be conducted, citing national security concerns. For one security expert, this lack of transparency is a major concern.

“We are told that the database is securely encrypted, but in the absence of a public security audit, nobody knows for sure,” an Indian security expert who works for a major U.S. technology company told VICE News. He asked to remain anonymous because he was not authorized by his employer to speak on the record.

“When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data.”

“That’s not helpful because the Indian government does not have a good track record with cybersecurity, as evidenced by the numerous daily breaches and leaks,” he said. “Indian government servers are consistently hacked.”

The government insists Aadhaar’s data center is “robust and uncompromised,” but by putting an entire country’s information in one place, they’ve made one massive target for hackers. Even if the security at the data center is as robust as the government claims, that may not be enough, given how many services are now accessing the data.

“When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data,” renowned cryptographer Bruce Schneier recently told Buzzfeed.

Even if the government did submit to an independent audit of how the data is collected, transmitted and stored, it would still run into one undeniable roadblock: It has no one to do it.

“The problem is that India simply has no laws or regulations governing how personal data is collected, data such as the metadata collected by mobile operators, financial data collected by banks, medical records collected by hospitals,” Kini said.

Because India does not have a privacy law, there’s no legal framework in place to create an independent authority who could legitimately conduct such an audit.

No legal basis for Aadhaar

Efforts to enact a Personal Data Protection Bill have been in the works since 2006, and as far back as 2010 Aadhaar’s founder said he’d support a law that protects the data collected through the Aadhaar system. But nothing has materialized.

Further, a 2012 Supreme Court ruling determined that the government was implementing Aadhaar without any legislative backing. Unconcerned, the UIDAI continued to enroll citizens anyway, doing so with scarce legal precedent and no legislative backing. (Only in 2016 did Aadhaar finally receive legislative backing from India’s Parliament, by which time nearly 1 billion people had already been enrolled.)

Under Prime Minister Narendra Modi, the government has grown even more aggressive when it comes to pushing Aadhaar forward, making it mandatory on 22 massive government schemes in the first 60 days of 2017.

The government has said it’s willing to advance Aadhaar beside a privacy law, but given that it recently argued before the Supreme Court against the fundamental right to privacy, many critics doubt its true intentions.

“It is really about ugly ambition, and a deep disrespect for people.”

And the issue isn’t going away. Privacy breaches are already happening on a daily basis. Leaks have become commonplace as the number of services demanding Aadhaar, and the number of new enrollees, grows. The public’s concern turned to outrage in March when a government-authorized Aadhaar enrollment center published the personal details of former Indian cricket captain MS Dhoni — one of the most famous people in the country.

UIDAI’s leadership appears unconcerned with the breaches, insisting a leak like Dhoni’s wasn’t a major problem because it’s just a number. “Aadhaar is not a secret number like your password or PIN that can materially affect your life tomorrow if it is leaked without your knowledge,” Dr. Pandey said in July while revealing that 4,700 Aadhaar operators had been fined for enrollment violations — such as attempting to charge for enrollment or failing to adequately protect the data — in the past seven months.

Pandey’s argument doesn’t hold water, critics say. Just look at the U.S., where criminals have used Social Security numbers to commit fraud for decades. But critics say Pandey’s argument is especially dubious when it comes to India’s most vulnerable population, those Aadhaar was originally created to help.

For India’s illiterate, who account for nearly a fifth of the population, systems like Aadhaar become less a development tool and more a potential source of frustration and abuse. “In such a society, to impose an infrastructure that requires technical, digital, and legal literacy is an unfair demand and also an invitation to fraud on the most vulnerable people,” Khera said.

Usha Ramanathan, an expert on law and poverty, said the relentless push to universalize Aadhaar despite its many technical and ethical problems came down to two things: “It is really about ugly ambition, and a deep disrespect for people.”