The World's Largest Biometric ID System Keeps Getting Hacked

Critics of India’s Aadhaar—the world’s largest biometric identification system—have been vocal about its infrastructural flaws for years. Their fears have turned into reality as the list of security breaches into the system keeps growing.

Access to the personal data of more than 1 billion people is for sale for less than $10 through WhatsApp. India’s The Tribune newspaper was able to buy the data and also claimed that it could buy software that would allow them to print fake Aadhaar cards for about $5 more.

Aadhaar data includes fingerprints, retina scans, names, addresses, and phone numbers through which SIM cards can be purchased, and important government services and bank accounts can be accessed. According to multiple reports, biometric data was not exposed on WhatsApp, but names, addresses, emails, photographs, and phone numbers were.

The Unique Identification Authority of India (UIDAI), which oversees Aadhaar, says over 1.19 billion people have enrolled in the system since it began in 2009.

Even those who have been outspoken about Aadhaar’s privacy implications were caught off guard by the scale of the recent breach. “I’m not surprised by the breach, but I’m surprised at how widespread the access was,” Kiran Jonnalagadda, cofounder of the Internet Freedom Foundation, told Motherboard.

India’s ruling Bharatiya Janata Party has been quick to call the story ‘fake news.’ And the government agency that oversees Aadhaar has termed it a misuse of the program’s grievance redressal system rather than a breach.

But even before the WhatsApp story broke, Aadhaar’s security track record wasn’t good. In July, 210 government agencies published sensitive Aadhaar account information online. That came after as many as 600,000 children had their data leaked by another government website earlier in the year. And on the same day as the WhatsApp revelation, another local media report exposed a major loophole in Aadhaar’s security through which practically anyone can become an administrator for the entire system.

Telecommunications giants have also been at the center of Aadhaar controversies. Reliance Jio, which was launched by India’s richest man Mukesh Ambani, reportedly leaked the information of 120 million people online last summer. More recently, Airtel was accused of opening up bank accounts for customers without their consent when gathering Aadhaar biometrics to authenticate their mobile phone accounts. Almost $30 million in cooking gas subsidies were diverted into the Airtel accounts as a result.

From the perspective of the government and other proponents of Aadhaar, though, these incidents are relatively minor hiccups for a program transforming the lives of Indians and improving the country’s efficiency.

“It’s something which is doing much more good than harm,” Saket Modi, the CEO of Lucideus, a digital security services provider, told Motherboard. “These are small little bumps which have been over magnified.”

Ultimately, Aadhaar’s supporters champion the program as a way for the poor to easily obtain government subsidies, pensions, and food rations by using their fingerprints as ID. In August, the country’s Finance Minister Arun Jaitley described the linking of bank accounts to Aadhaar and mobile phone accounts as “nothing short of a social revolution.”

Modi, of Lucideus, agrees: “Let’s not forget this touches a billion people and there is no parallel program like this anywhere on the planet,” he said.

But as the government moves to make Aadhaar mandatory for an increasing amount of important services, bureaucratic and technical impediments have actually prevented many from getting the welfare they need. Several people are even believed to have died because they were denied access to food rations, pensions, or even hospital treatment in the name of Aadhaar.

Internet connectivity issues have led to people's fingerprints not going through at ration stations in rural India. Similar problems have been faced by people who have suffered injuries to their fingers, while others have faced authentication errors because of glitches or mistakes in the system. If people's Aadhaar biometrics are not being recognized, and Aadhaar is then made mandatory for them to get their pensions or even as an ID at a hospital, they're in trouble.

For Aadhaar’s critics, this is especially alarming. They say the program was always supposed to be voluntary, and point to several Supreme Court rulings that support their argument.

“It’s a broken, fundamentally wrong system,” Meghnad S., a public policy analyst who has worked for several members of parliament, told Motherboard.

“We are not saying scrap the whole thing…But fix the bugs first. Give us proof that 99.99 percent of it has been fixed and then, maybe, make it mandatory.”

The final Supreme Court hearing on the issue is expected later this month. But in the meantime, Aadhaar is essentially becoming de facto compulsory, with more and more people linking it to services like bank and mobile phone accounts out of a fear of getting cut off from those accounts.

“Basically [the government, phone companies and banks are] completely dependent on the confusion,” Meghnad said, adding that, because people think the program is compulsory, they sign up for it and associate many of their accounts with it: “People panic and they’re like, ‘Oh my god, we have to link it now, it’s mandatory.’”

In response to the ongoing pressure to jump on the Aadhaar train, Meghnad and Jonnalagadda launched speakforme.in, through which citizens can email Members of Parliament, banks and telephone companies about their concerns. Over 33,000 emails have been sent. Jonnalagadda says the campaign has had a direct impact on parliament, and has reinforced his faith in meaningful participation in democracy.

Still, the UIDAI’s decision over the weekend to file a police report against The Tribune and the reporter who broke the story, has been seen by many as “an attack on freedom of the press.” Jonnalagadda agrees and says this isn’t the first time the UIDAI has filed a police report against a journalist for exposing weaknesses in Aadhaar’s infrastructure.

“[The police report] is yet another instance of shooting the messenger,” he said. “In each case, someone reporting vulnerabilities in the system has been silenced instead of being acknowledged for their contribution.”

Correction: This post originally stated that specific biometric data was exposed; currently it is believed that only names, addresses, email addresses, phone numbers, and photographs have been exposed.