 Hello and welcome to NewsClick. The security of Aadhar is once again in question. After the Tribune story that said that any data can be bought for 500 rupees. To discuss the same, we are joined by Baba Sinha who is from Free Software Movement of India. Welcome to NewsClick, Baba. What does this story signify? See, the Tribune story is not the first story and it's not going to be the last story about security leaks by Aadhar in the Aadhar system, right? There have been many such reports before. Last May, there was a report by CIS, the Center for Internet and Studies, which had said that there were some 13 or 14 crores of Aadhar information was leaked from four government websites. And along with that, some 100 million, which is, I think, 10 crores of bank information of those individuals were leaked, right? But the Tribune story is significant that, see, we all know that the Aadhar is like porous, it's leaking data, right? But even in our worst imagination, we hadn't imagined that you could pay somebody on WhatsApp 500 rupees and get access to a database of a billion people, right? You can literally enter any Aadhar number and download his personal information. If I'm right, you also wrote a story for NewsClick a few days back which pointed out that how the ration shops that are running these Aadhar centers, from there also the data is leaking, right? I had done this about two months back and what a very quick search on the internet, right? If you go to Twitter and search for Aadhar leaks, I had come across a few tweets and from those tweets, I managed, like literally in spending 30 minutes, I managed to download or rather get access to 10,000 Aadhar information from what are called e-kindras. e-kindras are these like these corner shops, these minor websites which are giving Aadhar related services, which the government encouraged, right? The government encouraged them as enrollment centers and centers where you go and do your whatever Aadhar verification. And these guys have no idea about security or no conception of security, right? And they were just putting out people's information along with bank information out in the open, right? And it's just the shocking that the entire country's information is being kept put in the public for various actors with malicious motives to act on them, right? So you can talk about scammers, about phishing gangs, it's also a national security threat, right? So people from abroad can get intimate information about every citizen and the government seems to be callous about that. But how is this data leaking? I mean, how is it reaching to the people, these people who are selling it for 500 rupees on WhatsApp? How Aadhar is envisioned is that the Aadhar information is kept in a central database. Now the government claims that that database is secure and that has the Aadhar number, the personal information, like your personal information and your biometrics, right? And the only access to the database is through what are called ASAs, authentication service agencies. And there are, last I know, there were 26 of these, these are large entities, right? So they can be government entities, they can be private entities, they can even be multinational entities, right? Mastercard is in that list. So these 26 entities have access to the central database through lease lines. And the government says this is secure. And let's take the government's word on that, that the central, the CIDR, the central database is secure, okay? And access to the central database is restricted to 26 entities through lease lines. So let's say, let's buy the government's argument that that cannot be hacked. But then these 26 entities are kind of the primary brokers of this information, right? Then there are what are called AUAs, authentication user agencies. And there are roughly 250 of these who talk to the AUAs to access the same information, right? And then these 256 AUAs have sub-AUAs. And the sub-AUAs then can be accessed through all your Kinara stores. E-Kindra's, any point of sale terminal, if you go to a bank, they will ask you for an Aadhar card. So they are effectively taking your Aadhar information. So let's say you go to a carrier, right? Airtel or Vodafone will ask you for other authentication. So what they are doing is they are, when you go to a Airtel store and you give your fingerprint, that is going to a AUA. The AUA is connecting to the ASA. And the ASA talks to the central database. And then the authentication information comes back. The problem with this architecture is that here you have a critical resource which is linked to every activity of your life, right? Effectively that information, your personal information, which is your name, your date of birth, your address, your photo ID, your father's name. It is everything that is needed by a phishing artist to create a fake bank account in your name, right? So that information is stored in the Aadhar database and your biometrics is stored in the Aadhar database. So a critical resource is of the entire population of this country. Access to that is callously given to all these entities. And see, if you are a security expert, there are a few guiding principles in security, right? One is that in a security system, the strength of the system is the strength of the weakest link of the thing. But here your weakest link are these E.K. Indras, right? Who have no knowledge about security. And you would think that such a critical information would only be restricted to certified government agencies, right? Like for example, like US has a social security number, right? Now the social security number is by law. Only government agencies have the right to take your social security number and access whatever database, right? Here, forget about the E.K. Indras. Even at the core of the system, the ASAs, there are private companies, right? There is Bharti, there is Vodafone, Reliance, Mastercard, a multinational company. And forget about the fraud which is going to happen in the E.K. Indras, right? The attacks on the E.K. Indras, right? I am not saying that every E.K. Indra guy is a criminal, right? But the guy doesn't have the competence to deal with the attack on him. You mean the cyber attacks and all? Yeah, yeah. So, I will come to that later. But even at the core of the system, Bharti Airtel is one of the ASAs. And Bharti Airtel was charged with taking your Aadhar information and opening payment bank accounts in your name and diverting subsidies to those bank accounts. So, the fraud is at the core, right? And in such a system, the weakest link is from the core to the periphery, right? And so, inherently this is a fraud design. And it is a fraud design for something which is critical, right? So, another security kind of elementary security guideline is that you don't link different aspects together, right? For example, you may have many accounts and many websites, right? You may have many mail accounts, different bank accounts. As a general security precaution, you do not have the same password for all your accounts. And the reason for that is if one of your passwords gets hacked, you don't want everything to get hacked. Now, here is a case where you have a number and the password is your biometrics, which you can't change, right? And so, if your biometrics were to get hacked, then you are done, right? But the system is designed like that, right? All of us are familiar with credit cards, right? And it's not just in India, a world over when you have credit cards. And look at the precautions that a credit card has, right? And a credit card has been around for like decades now. And so, it's a mature field. One of the best brains in the world have worked on it. But every credit card has a few precautions, right? The precautions are that it has a pin associated with it, which you can change at any point in time. The second precaution is that it is every credit card will give you a 24-7 number which you can call and cancel it at any point in time if your card gets compromised. And the third precaution is your credit card has a credit limit, right? So, you can only withdraw up to the limit, right? So, your liability is linked to that limit, right? So, if your limit is, let's say, 2 lakhs, the maximum fraud that can happen for you is 2 lakhs. But for Aadhar, if you look at it, you cannot cancel Aadhar number. It's for life. So, if your Aadhar gets compromised, you are done for life. You cannot change the password because your biometrics can't be changed, right? And there is no limit, right? The Aadhar is linked to your every bank account, supposedly, right? The government is forcing you to do that. It is linked to your phone. It is linked to every... If you... Now, they are saying that to get admitted to school, you need Aadhar card to go to a hospital, you need Aadhar card. Even when you are dying, you need Aadhar card. Even after your death, you need Aadhar card for your relatives to get your death certificate. And so, everything is linked to this one number which cannot be revoked, whose pin you can't change. It is... By design, it's a security nightmare. Let's come back to the cyber attack part that you were saying. How is that being done? One of the interesting things is that anytime these leaks have been reported, and there have been many reports, right? And the Tribune report is the most recent of them. The government has two responses, right? One is to say the Aadhar database did not get breached. By that, what they are implying is that the biometrics is not breached. What they are conveniently not telling you is that the Aadhar database is not just the biometrics. It is also the personal information. And in every one of these cases, the government is not denying that personal information is leaked, right? I mean, that's for everybody to see. In the biometrics side, there was a WikiLeaks report, I think last year or the year before that, which said that CIA has access to the entire biometrics. CIA actively has a program which tries to get biometrics from different countries covertly. And this company, which has a relationship with CIA, the government had contracted this company to get the biometric devices. The government's claim that biometrics has not been hacked, that is dubious. But even if you take that claim at face value, look, if you go to what is called a point-of-sale terminal, right? So you go to your Kenara store, you go to a Airtel shop, a Vodafone shop to give your fingerprints and your Aadhar number. Now, what is to say that the fingerprint scanner or the iris scanner they have, that there is not a skimmer, which is making a copy of your biometrics. They already have your Aadhar number. So if that guy is a criminal, your Kenara store is a criminal, he can easily take a copy of your biometrics. He has your Aadhar number and he can impersonate you. But even assuming that that guy is honest, but let's say the laptop or the PC to which the scanner is connected to, let's say that has a virus, that has a malware, right? And that malware intercepts the biometrics and skims it off. So they have stolen your biometrics. So for the government to claim that this is somehow like this holy sacred thing which cannot be stolen, that's just ridiculous. Also as far as I know, I mean the government is also saying that they're working on it and Aadhar is essential. It's the same BJP which had opposed Aadhar when they were in opposition. The primary response that they also gave to this entire Tribune story, UIDAI filed an FIR on the reporter and the newspaper. Along with the FIRs, the government, if you read the news articles carefully, the government said that they're encouraging these EKNRs to now move into government premises. And apparently some 4000 have moved in and some 26000 are in the process of moving in. How many of them are there? And after all these years they are like encouraging, right? And as if moving to the government premises, will all of a sudden solve the basic problems of security? Yeah, I mean the CIA reports that the government websites were looking at, right? But let's say the government now has learned a lesson and provided this strong firewall and where all these people can move in. But you have lakhs of them, right? And 4000 have moved in and moved in after so many years. Nandan Nilankari who is kind of the father of this thing. He goes on an interview last year and he says that, look, Aadhar is no more insecure than a smart phone, right? And people, you are using your smart phone all the time and you are least bothered about your security. So Aadhar is no more, look at the callousness of it. He says that in a smart phone you are using it daily. Aadhar on the other hand is sporadic, right? So you only go, I mean it's a ridiculous argument, right? You have linked your Aadhar to your bank account. How is it sporadic? I mean you can make transfers based on your Aadhar number, right? Somebody can impersonate you and do money laundering based on Aadhar numbers and somehow we are supposed to feel comfortable that, oh Google and Apple and Amazon is stealing your information which you are willingly giving and here the government is forcing you to give that information and this information is, by the way, linked to the most critical activities of your life and it's okay, it happens, that's the government's response. It's the same government which I think in 2015 went to the Supreme Court and said that right to privacy cannot be a fundamental right of a citizen. So what else can you expect from the government which, if you look at Aadhar in total, they have been news around this country that people have died because they didn't get a ration card, people have died because they were hungry and their fingerprints didn't match. Even if you leave these things aside, the question still remains that I'm sure that the government knows about these problems and if yes, then why are they still going ahead with it? The one word answer is it doesn't care, right? Why is the government doing it, right? The official stated purpose is the government is doing it because it saves the government a lot of money and leaks and corruption will all be magically disappeared, right? And different people, right? Different government officials, different UADI, the government argued in the Supreme Court, Nanda Nilankani, they come up with this figure of, this magical figure of 9 billion or 11 billion, different time, the figure changes, but it's in that $10 billion range. $10 billion have magically been saved by Aadhar's. That justifies doing all this, right? It turns out that there was a report on this last year. That number was picked up from a World Bank report, right? A World Bank funded report, a World Bank think tank report, and they referred to another article from where they got their numbers and if you go to the source article, that doesn't say that $10 billion have been saved. That says that the total government transfers to individuals like for Mandrega payments, for PDAs, for various benefits, that amount is estimated to be $10 billion. So the $10 billion is the total transfer, $10 billion is not the savings. Why the government is doing it is for a couple of reasons, right? One is it's a wonderful security tool for the government. The government can monitor every aspect. The other aspect is if you listen to what the technical people are saying carefully, they use this word that it's about data and they also talk about how data is the new oil. I mean, it's basically that once you have the data and once you have your link with everything, basically the witch hunting becomes very effective on part of the government in any sane voice which is raising voice against the government, against government policies or any such things. The witch hunting may strengthen day by day. Yeah, there is a surveillance aspect to it and then there is also the commercial aspect to it, right? For example, your insurance premiums will link to what you are doing and there are various ways to make money out of it. Anyway, let's see Supreme Court is going to hear the Aadhaar case again this month and let's see what comes out of it. By the time we can only wait and watch what's going to happen and we'll be coming back to you on such issues again. Thanks a lot, Bapa. Thank you for watching NewsClick. Keep following our website and our Facebook page.