 Hello and welcome to NewsClick. Today we have with us Bapa Ditta Sinha, part of the free software movement of India and also has been studying the Aadhaar issue for quite some time. Bapa, a lot of people have raised issues of privacy, but there has been concerns which you have also raised regarding security issues that affect not only the individual also for the banking system. Now, we recently had the case of the Aadhaar app for instance, the M Aadhaar as it is called, which is very easily broken into by anybody. Issues have also been that various Aadhaar card numbers have been linked to phone numbers without actually the original Aadhaar holder even knowing about it. Now, what does this indicate? Do you think that basically the whole issue boils down to the fact that originally Aadhaar was supposed to be a biometric system. Now, the Aadhaar card, the Aadhaar numbers, A mother, all being used as identity proofs which was not the original intent. Right. So, initially when Aadhaar was formulated, the idea was that you could provide your Aadhaar number to somebody and using a biometrics you would get verified. So, that's a proof of identity for, electron digitally you get identified and so you could go to a store or you could go to a bank and in order to prove who you are, your number along with the fingerprint or your iris scan would be sufficient to uniquely identify you. And it was not, Aadhaar is not meant to be used as your ID card, right? It's not your driver license where the physical card is a proof that you are who you claim to be. It was meant for a digital verification. But what we have seen is that it has been used widely both by the government and by private companies with the encouragement of government where it has been used as an identity card where people are taking photocopies of your Aadhaar card. You go to an airport showing your flashing your Aadhaar card is people would then say that because you're carrying your Aadhaar card that proves that you are who you are but Aadhaar was not meant to be that system and that using Aadhaar in that fashion is problematic. Why is when you say it's problematic? Why is it problematic? Now one of the issues of course is that government is saying any printout of the Aadhaar is equivalent to the original Aadhaar. There is no concept in that sense of the original Aadhaar. It's also saying the M Aadhaar what you can download on your mobile is equivalent to your Aadhaar ID. Now essentially these are multiple IDs or the same ID copied multiple times. Why does it create a security problem? Yeah so there were two things. One is your physical position and as well as the security features which are introduced to further enhance the security. But for example if you lose your passport or you lose your driver license then you immediately supposed to contact government authorities because there has been a breach. Aadhaar so the government has taken different positions at different points in time about Aadhaar. So Aadhaar because if you know your Aadhaar number and using anybody can log into the UIDI site and get a printout of your Aadhaar card and the government at one point is saying that is sufficient. Now if that is sufficient that means that the physical position of the Aadhaar card does not prove that you are who you claim to be. But at the same time that has been widely used at different places to establish your identity. Now why that is problematic is that if these ID cards if you can print multiple copies of the ID cards then if somebody else could you if you lose your ID card somebody else can take that ID card and then claim to be you. You don't have to lose your ID card somebody as you said could print out the ID by just a getting your ID number and as long as the Aadhaar number is known and we'll come to that in a minute as long as your ID number is Aadhaar ID is known the number is known they can print out a copy of it as you said. So therefore you don't even have to lose it officially any copy is a valid copy according to the government. Yeah and yeah if I mean through different mechanisms your so when when you go to the government's UIDI site you have to give your Aadhaar number and some other form of identification right. So be it biometrics or OTP but if somebody were to have access to that you can take a print out of the card and then claim to be you because they physically produce are producing that card and that is acceptable in many places. You know when you link your Aadhaar number to for instance your phone or your bank account then even these procedures are not followed you just give the Aadhaar number and as a that gets linked to your phone numbers and so on. Secondly it seems to be very easy to do within the system so do you see that as also a problem that for instance a criminal might use my or your Aadhaar number if it is available in the public domain and link it to criminal activities using their phones or their bank accounts. Oh yeah so if you are and the Aadhaar ecosystem is so wide it is not restricted to a few certified government agencies but the government has contracted and encouraged private it has contracted with certain private entities and then it has encouraged a whole ecosystem of people to play to to be enrollment agents to be taking your biometrics and if any of these I think the estimates are there are more more than a few lakhs of these people and if any of these people were to want to criminally impersonate you then it's very easy for them but you if you go to a air tail shop and give you a fingerprint and the person who is taking the fingerprint wants to steal your ID then it's relatively trivial for that person. That of course is with the biometric I want to talk about even if they don't have your fingerprints they can use the Aadhaar number and link it to various bank accounts and for instance fair phone numbers in fact there are multiple examples of this happening and we have enough examples the press the recent times which shows that phone numbers of people have been linked to Aadhaar cards without the people who have the Aadhaar number being even aware of it. So this obviously seems to be of an easy thing to do we have had cases where somebody who's from Pakistani agent who was deported back to Pakistan his he had an Aadhaar number and that was linked to various subsidies and bank accounts and telephone numbers and so on. Gas subsidies gas and bank out which showed that apparently the Aadhaar number of a person can be easily linked to these things without the biometrics being used and the original act if you remember the original act didn't really envisage this original act considers biometrics to be the basis of verification it never thought that it was never envisaged within the act it really doesn't envisage the use of the Aadhaar card as the proof of ID which it seems to now become. Yeah sure so I think in a country like India right where it's a vast country and in many places you have either no or independent electricity and internet connection I think it started off in those places where since in order to do your biometric verification you have to go all the way back to the central CIDR to get it verified and if you have internet intermittent or no internet connectivity then you can't do that right so then what people would do and this is not in rural areas even if you go to posh areas in Delhi and want to do our Aadhaar verification they will say that okay we are going to take a photocopy of your Aadhaar we are going to take your biometrics and we will upload it the next day so there is a period of time when they are holding on to that data and then if somebody wants they can easily make a copy of the data and do whatever they want to do with the data. You know the argument about this this issue is also that for instance something like 250 million Aadhaar numbers are already in public domain because government posted them on many occasions and this is pointed out by the Center for Internet Studies after which the government filed an FIR against them is always shooting the messenger model as it were and that consequences of this is that though it might have gone off the news the reality is there is a huge number of other numbers which are out in public domain you yourself have done a small study which shows a lot of the EKIC people hold the data on open form in on computers where the IP addresses are available and everybody can log into that this doesn't involve hacking and they have completely they're completely uninsured unsecured against any such intrusion so if so much of Aadhaar numbers are in public domain no criminal then will use his own Aadhaar number for bank accounts and for phones but it's going to leak all these open numbers to such activities isn't isn't isn't the government even thinking about this what is happening so the government seems to be in complete denial mode like you said the the standard response of the government is to say to file FIRs against the whistleblowers against the people who point out security holes and the other thing to say the biometrics has not been breached right that is the standard response but but some of these what has happened the what is what these different stories are shown is that the leaks are widespread and they could be easily used for any any amount of criminal activities right the other thing is that where people are taking like in all these internet sites people are taking photocopies and and keeping Aadhaar pan bank information together openly right there is no even attempt and and forget about the E. Kendra's in the private side maybe the CIA's study showed that government government departments were doing this so the government departments to various of the people are keeping all of this openly so this is essentially an issue where the original intent of Aadhaar which is biometric verification is given away to a verification using the Aadhaar card or the Aadhaar number or aim Aadhaar as it has been called in effect it is a complete change of tack from the original intent and as you said it seems to have happened because of convenience that it is more difficult to do verification in real time particularly the intermittent connectivity intermittent electricity and so on so the financial system cannot really work on this basis and therefore this convenience is what has created a big security hole in the Aadhaar system this is what I understand you are saying but my question is can the Aadhaar system now be actually saved given the fact that it is being used in this particular way can the Aadhaar system be a system actually be saved or if it has to work it has good to go back to biometric verification and live with the problem that you have intermittent connectivity and intermittent electricity so yeah so the multiple questions to that right now if you if you the known leaks right and the CIS leak was one of the biggest ones so like you said there are roughly a quarter of a billion people who are probably we know that their Aadhaar has been linked leaked so that is like 20% of the population of the country then the Tribune report that showed that effectively people were given access to a website where you could enter any Aadhaar number and get that information for all the billion people for all the billion people and different estimates say that that has been that was there was a period of months where that access was available till the Tribune broke the story and they withdrew the access so if you go by the Aadhaar the Aadhaar number and and remove the certain digits which you which are coded for for the sanctity of the number you remove those there are roughly 80 billion such numbers now for a computer program to scan over 80 billion numbers in a in a time period of months is trivial so so it for all we know that all numbers not just quarter of a billion numbers but all numbers have already been leaked and and that information is already available to people at this point then what can be done to save the system unless you are well our personal information is no longer personal it's all now in public but in order to save the system not only one is that you go back to only using it as a biometrics but but there has to be additional security on top of biometrics so a password a pin code which you could change and that at the very least has to be done but but the whole intent of Aadhaar was to get away from doing that right so then the whole point of Aadhaar gets is lost so it I mean the government seems to be hell bent on like defending the indefensible but at this point it seems difficult to salvage this this thing at the very least linking Aadhaar to all things including getting a haircut including getting a beard trim from banks to tell you know phone numbers all of this should stop because these are really opening the way for only criminals to misuse the system and it doesn't do any good to any body what else what how are you going to find people if you have a gaping hole in the system anybody can use and if you link it to things like your your mobile system right your telecom system and you link it to your banking system if you if you think about it and given that all this information has now become public you are opening yourself up not not not individuals but you're opening the country up to cyber attacks and we there have been cases elsewhere in the world right we know for example Iranian critical Iranian installations were cyber attacked by by US intelligence agencies that those stories have been there now what you're doing is you are not only opening yourself up to cyber attacks from other states you are opening up yourself up to cyber attacks from from rogue elements right from from terrorists right now it's curious that a government which claims to be a nationalist government is giving away your country's security to to terrorist elements and shooting the messenger the last question the there is a French security expert who showed how the M. Aadhar app was faulty the number of holes in it it seems that some you idea has done something with regard to that what is what happened so that that is now become a joke so so so there is this French security expert who goes by the name of Elliot Alderson and he has been posting on Twitter and so he was scrutinizing the M. Aadhar app and he found just elementary mistakes but what he called the the level of the other part the app was at the level of a school project and he found the other app was actually not signed by other or the company which which you you idea I had contracted it to but it was been signed by Google so what it means is when it when something is signed by Google's known signature that means anybody can create a another app which doesn't do what it's advertised to do but steals your information or makes bank transfers in your name and you wouldn't know because their app is signed by Google and and they they're the passwords they were using were sample passwords which Google had given in its code so you are supposed to take those passwords and then create your own password but they hadn't bothered to do that as a result was trivial to hack the M. Aadhar apps if so according to his tweets if you lost your cell phone and you had M. Aadhar on that and you had logged into that app then you can assume that your Aadhar is compromised and your bank accounts are compromised so he had pointed all this to UIDA and asked them to fix the problem asked them to fix the problem well he was more he was sarcastic about it but he did ask them to fix the problem and initially the initial the initial response from the government was to pull the apps it now seems like that down yeah sorry so take down the apps from the Google app store but it now seems that they have put it back up and without fixing the problems and they've just restricted the viewership of the app to India and so so our friend security expert is not able to to access the app sitting in France of course it is trivial to bypass that but so so what we are effectively looking at the level of technical sophistication of the people who are responding to to these whistle blowers and to the to this public who are pointing out flaws seems to be extremely low the technical competence they seem singularly incompetent in dealing with app of this complexity though believe they believe that the problem will go away if you shut your eyes to it or you shoot the person who's respond who's telling us that there is a problem so Nandan Ilyakani he said that it's evolving system so so it is understood in these things that that you come up with the if you come up with the anything you come up with any piece of technology that you improve technology over time but you don't come up with a schoolboy project and impose it on the population of the country and on the banking system of the country and then say that we are going to evolve anyway we seem to be evolving backwards going from school project to primary school project thank you very much but but we with us this all the time we have for news click today do keep watching news click