 Hello and welcome to NewsClick. Today we have with us Mr. Prabir Purkayas, the chief editor of NewsClick and he's also associated with the free software movement. Thank you for joining us. Prabir, we have something to talk about regarding the UIDAI Asia Times had a recent article considering, I mean, dealing with the whole client-based enrollment. So, can you please tell us something about what's the difference? I mean, what exactly is a client-based enrollment procedure? Before we do that, I think the important issue which Asia Times article is brought out and also another article which has appeared in a website called Medium. Both of these are focused on the security issues inside the UIDAI Aadhar program. This is something we have been raising for quite some time. This is not new. We have raised it time again saying that the issue is not that the biometric data is safe, which is what the UIDAI authority keeps on saying. But more important than that is our personal data safe, which is linked to the biometric. In this case, what we're really talking about is even if the biometric data is safe, if our identity gets stolen and tagged onto the wrong biometric data, or if somebody is able to link their personal information to the biometric data, this mapping between the biometric data and the individual's personal data, if that mapping can be corrupted in some way or hacked in some way, what we have lost is essential or identity in the digital world. I think that's the key problem which has been raised a number of times. In this specific issue, what the Asian Times article brings out, Saikandata's article, is that a number of people have raised this issue with the UIDI authority, that there is a big problem that they see in which the enrollment software that is used, that seems to be easy to hack into, causing the possibility of this identity theft. Now, why is the software vulnerable? This is the argument that the Medium Anand's article in Medium gives, is that they have used what is called a client-based architecture, which means the software that is used to enroll the person, which is the one which does the mapping, finally, with the biometric data and the person concerned. This is done using a software which is downloaded in the EKYC computer, which is at the EKYC Kendra. And if that happens, then it's a software which is resident on that machine. This is different from a web-based service in which the software resides on the central facility itself. And therefore, that's relatively more difficult to tamper with, because you can see the intrusions are not there. You can protect that server much more effectively than you can. The millions of copies of the software that have been downloaded in the EKYC. Once it is downloaded into the laptop of these systems, then there are two things that happen. One is it is possible to hack into that software more easily, because it's there. You can study it. You can what is called disassemble it. You can, even if it's machine code, it can be put into what are called disassemblers. You can see what the original code was, and then you can see the flaws that may be there. And let's face it, anybody who writes software knows that there are software security holes that need either to be patched continuously, updated continuously, or needs to be rewritten. This is a given in the software world that there is no software which is error-free, or in which there is no security hole. In this particular case, the question is, do people update their software regularly? Are the patches carried out regularly? Are the patches there in the operating system as that updated regularly? After all, the application just doesn't work by itself. It also works with the computer, with its own operating system. Therefore, there are more holes in the system than just the front-end that you have downloaded. All of this means that a client-based architecture is much more vulnerable to being hacked than if it's a web-based service. In this particular case, the client-based architecture was chosen because of the poor connectivity, and therefore it has felt an asynchronous enrollment by which you sort of get all the information, and then you do a sort of one time per day or eight hours you update the data, and that's a much better way of doing it under conditions where electricity may be missing for two hours, your internet connectivity may not be there, and so many other factors. So in order to facilitate easy enrollment, this was the objective of the UID authority, what they've done is created a security hole within the system through which it appears that the system can be hacked. This, in essence, was also what was called the Tribune hack, whether this was the hack done, whether it was something else, we don't know. But the point is this seems to have created a big security hole through which it's possible to get access to the personal information which any EKYC Kendra can have, and also the possibility of changing it. So considering the possibility of changing it, I mean, take for example, some unscrupulous element has gone ahead and downloaded this client and then prepared his own patches and made himself see an administrator and then starts enrolling people, what is the potential harm that this could result in? I mean, would a client-based system be able to generate, say, Aadhar numbers? Well, we have to see what the whole system actually is. Then we come back to this question. You have what is called the biometric database at the top, which is finally where our fingerprints and our iris scans really go into. It goes in from the bottom with this EKYC Kendra that you see at the bottom and they are the AUS or KUS who are essentially the ones who tie up to what are called the ASAs. ASAs are the one which are the Aadhar service agencies. The AUS and the KUS who are tied up to the ASAs. The ASAs are not very many. In fact, are about, I think, 12 to 13 who are supposed to be very, very high-end people who have direct connection to the UID database. The rest of the people really connect through them. We are assuming the ASA to UID infrastructure is secure. Let us assume that for the time being. What happens if the EKYC and the ASAs and these are the AUS who are very, very much larger in number? So any Aadhar service agency which verifies the Aadhar number for you and connects to various services that you may want to link through Aadhar, all of them in fact are the ones who have access through the AUS software to finally the biometric database, but it is a limited access. One must understand this access is only for the purpose of verification. But the point that is there is both the AUS and the KUS, because they have the ability to change your personal data which is not supposed to be the core part of the data which the central depository holds. Therefore, it may be possible depending on the kind of software security protection that has been built into it. It is theoretically possible a hack at that level could lead to, as you said, the software declaring itself to the admin and then making changes to the personal database which means the mapping between your biometric data and you as a person, your other identity which is not your iris, which is not your fingerprint could be changed. Essentially, therefore, your biometrics could belong to somebody else or somebody else's biometric could belong to you if I can hack into this database. And that seems that you have happened because a number of people have complained about it. There are EKYC, Kendra operators who have said this is the problem that they think that is happening. So, a lot of number of warnings seem to have been given in the last two to three months and this is what the Asian Times report indicates. And as you saw earlier, we had a tribute case which reported that this kind of access was available. They didn't talk about changing the personal properties. They didn't talk about changing the personal data, but they did talk about a level of access which should not have been available except to the top other officials in Punjab. So, given that, I think what we are seeing is what we have always argued that linking data in this particular way opens the security holes much more. The more you link to a database, the more possibilities you have to interfere also in the database. In this particular case, poor security system, poor security architecture based on the fact our systems are not really real-time secure in the sense that it cannot work all the time without electricity, without internet. This is a problem. But given that, what has happened is the ecosystem built up around other seems to be a very leaky and a weak security system. It would not have been a problem if it wasn't supposed to link everything to it and if it was not supposed to be providing your authenticity as a person. And this is really the problem. The original Aadhar Act and the original Aadhar system envisaged that all the verification will be through biometrics. What has now started happening is you are arguing that the Aadhar card and the Aadhar number is your verification of you as you. Now this is as good as Anand has said it is the biometrics. This is as good as you giving a self declaration that you are you because behind this the entire system is really leaky and I think that is the biggest problem that is hitting today. It's compounded by one significant issue. The significant issue is Aadhar authority refuses to accept. The government refuses to accept they have a huge problem. More money they put into a leaky system the more things they want to connect to the leaky system without getting into the issues of privacy. Without getting into it the more you do it the more you open yourself to identity thefts of the people. So I think what we are seeing is Aadhar system's capacity for malicious use is going to grow exponentially because A it's a leaky system. It is a huge number of security holes in it as it's becoming more and more clear with all the examples in these two articles. And the third that the more connectivity you build into it more access is being given to the AUS that the huge number of new AUS who are being used today for gas, for mobile, for bank accounts for even I'm told for getting a RFID tag for your ability to go on the highways all of this are being linked to Aadhar. Each one of them is a link to the Aadhar system. Each one of them is using software which could provide theoretically a route to hacking of your personal data. I still agree that the biometric data may be safe but the point is these are the issues that still happen. Our personal data if it is stolen and mapped to something else it really doesn't matter whether biometric data is safe or not. I'm not really concerned about the worlds in my fingers whether they are safe or not. I'm really worried about my identity being still written as mine. And I must tell you the last issue which again has been raised in one of these articles is that it appears that the unique identity system that means only one copy of your biometric information being attached to one person even that is not being maintained in the UID database and that's really a cause for concern because somebody has said how come my son or my daughter could be given an Aadhar card based on my fingerprints I thought the biometric data was unique. So how can two other numbers be associated with the same biometric signatures? I don't know whether this is true or not but if it is then the other issue that also comes up is how unique is our unique identity how is the UID part of it is also unique. I think that also we need to see. Thank you Prabir for sharing with us your thoughts on this matter and thank you for watching NewsClick.