Loopholes in Aadhaar: Lax security measures seen in enrolment

NEW DELHI: In what could point to serious security loopholes in Aadhar project, an internal risk assessment by the Unique Identification Authority of India (UIDAI) in 2012 had found that the enrolment device could be taken outside its defined territory, including foreign land, to enroll people and send data to UIDAI for processing.
The anomaly led a UIDAI committee, set up in the wake of the government's January 2012 direction to the authority to make its enrolment process more robust, to recommend installation of a GPS device in all enrolment devices.

This would ensure that enrolment happened only within the geographical boundary of India and also in the states allocated to UIDAI.

The cost of such device was covered in the revised cost estimates approved by the cabinet committee on UIDAI. However, the GPS feature was never implemented.

According to experts, non-enablement of GPS feature in the Aadhar enrolment device poses a security risk as it is possible to enroll people in non-Aadhar states as well as foreign territory if the operator of the enrolment agency connives with someone.

Since UIDAI allows enrolment of a person anywhere in the country by any enrolment agency, even if a few agencies get "compromised", a large number of ineligible people can get entry into the UIDAI database, thereby gaining access to banking services and DBT facility.

Though TOI repeatedly contacted UIDAI officials for their version, they were not forthcoming with a response.

The UIDAI's risk assessment exercise, assisted by HCL, also recommended other security upgrades such as scanning of proof of identity and proof of address documents furnished by the Aadhar applicant at enrolment, and uploading them as part of the enrolment packet.

This way the enrolment data could be matched with scanned documents during a subsequent quality check. Scanning, however, would mean a delay of few minutes per enrolment, besides additional costs and manpower.

Though UIDAI got the estimated extra cost on scanning approved by the CC-UIDAI, even this feature was never activated.

Even the offline system that UIDAI settled for to collect proof or identity/address documents, followed by their scanning by a vendor-document management service (DMS), has been far from perfect.

Not only was the DMS late in picking up documents from the enrolment agencies, but it was found in some cases that the agencies never collected the documents. There were also instances of documents not matching details of the Aadhar applicant, or being torn.

Experts cautioned such weaknesses could be exploited by the enrolment agencies to enroll residents without any document, including for a monetary consideration.

The risk assessment team had warned that with the connivance of the operator, it is possible that biometrics of a foreign national are captured to generate Aadhaar number to a local resident to give him two Aadhar numbers and also capture mixed biometrics of more than one person for a single enrolment.

Also found prone to misuse was a software that allows biometric exception cases. Primarily meant for the physically challenged, it enables such persons to be enrolled without fingerprints or iris scan.

It has come to the UIDAI's notice that a few unscrupulous operators have misused this feature to enroll able-bodied people without biometric data. This led UIDAI to intensify back-end checks, which led to large-scale rejection of enrolment packets.

Incidentally, the UIDAI has earlier rejected a home ministry suggestion for a security audit of Aadhar enrolment system.

Though UIDAI used to get demographic data verified manually by operators, this was discontinued in order to speed up Aadhar generation for DBT purposes.

Even the feature of having government supervisors posted at each enrolment station was eased over time. First, the government supervisor was replaced by the enrolment agency's own supervisor, and then, one operator was allowed to become supervisor for another, defeating the purpose of having a supervisor.