A password for crime

August 11, 2017, 4:51 pm
A password for crime
A password for crime

A password for crime

There are several questions that are repeatedly thrown up during any discussion on Aadhaar for which experts and critics have not provided convincing enough answers. These include: `Why should honest, tax paying citizens be concerned about the linking of their Aadhaar data to bank accounts? What is wrong if your Aadhaar number is shared while applying for a gas connection if it is only to verify your identity? The government and its investigative agencies can in any case access bank data so what’s the big deal if they get it through Aadhaar? Is the aam aadmi bothered if marketing agencies illegally tap data to figure out their gender or other personal details? Isn’t it only a small section of the rich with something to hide who are concerned? Is this privacy controversy exclusively an elitist issue?’

A few weeks ago, while researching a story on Aadhaarfor India Legal magazine,I spent an hour with rights lawyer Indira Jaising. We first went over what has now become familiar terrain; Article 21 and other Constitutional and legal aspects; how many poor were excluded from Aadhaar; how despite it, welfare money was not reaching the targeted people etc.Finally, the discussion veered around to why should privacy be of concern to the ordinary man in say, Barabanki, who is not particularly bothered if someone finds out details of his bank transactions or how much fertilizer subsidy was allocated to him?

What I heard in the next half an hour proved to be an eye opener. And as I followed up leads provided by Indira Jaising over the next two weeks, realisation dawned that we are perhaps missing a key factor in the ongoing public debate on Aadhaar—the huge crime component that kicks in when privacy is compromised.Last fortnight an IIT-Kanpur team which met the Parliamentary panel on Finance reportedly spelt out the criminality that can be unleashed once the proposed linking of Aadhaar data with bank accounts comes into force from 31 December this year. In this age of cashless transactions our bio-metric data is currently not safe with the government was the expert team’s feedback to the Parliamentary panel.

Why did it arrive at this conclusion? Before we go any further we have to get some basics factored in. What we loosely call Aadhaar is not just a record of your name, age, address, religion, caste and a unique number allotted to you. It is also your bio-metric data (read thumb impression and your retina scan) which the government is supposed to store with extreme care. So far, it has failed in doing so, making stored data easily accessible to hackers. In other words, even if security systems are now tightened it would be a rather delayed action since the Aadhaar data has already been stolen by various unidentified vested interests. In fact it was stolen even as the data was collected.

If the government goes ahead with its plan of linking Aadhaar to your bank account by 31 December this year, then your bio metric data is what is effectively linked. Your thumb impression can then be used or misused as a password for several operations. So, if someone has a copy of your thumb impression he or she can effectively operate your bank account without your knowledge. This abuser could even be an employee in your bank—as the Parliamentary Panel was informed. Or, it could be a terrorist organization or vested interests in the police, intelligence agencies or government who wish to frame you for committing financial fraud.

But how does the mafia or some vested interest copy a fingerprint which is supposed to be unique? My research took me to Prashant Pandey, the whistle-blower in the Vyapam examination scam in Madhya Pradesh and a cyber security expert. He recalled what transpired during the entrance examination for the MBBS course two years ago. Qualified persons had fronted for the candidates and had written the exam on their behalf despite fingerprint scanners being used before allowing access to candidates into the examination hall.

How were the scanners fooled? Prashant had this explanation: “The fake candidates were provided copied fingerprints of the real candidates on a silicon film which they wore on their thumb. This happened in not one or two cases but in several hundreds of them.” According to him, what happened in Vyapam is proof of how unreliable fingerprint identification is.

The copying of thumb impressions does not require any great expertise. There are enough sites on the internet which explain how this is done. A 3-D printer (costing Rs 3-4 lakhs) was all that was required in the Vyapam case. If the crooks in Bhopal or Indore could fool fingerprint scanners, then it can be assumed with certitude that larger criminal networks can do the same more efficiently.

Now, let us see what can happen to the account of our man in Barabanki once his data is stolen? A copy of his thumb impression is all that will be required to effect transfers or payments into his account or transfers from it using the Bhim app or a point of sale (POS) machine which requires only a fingerprint as proof and bypasses the need to swipe a debit or credit card. The Bhim app, introduced with much fanfare by the Prime Minister post-demonetisation to facilitate cashless transfers by the unlettered, necessitated the need to link UID numbers and data to banks. Now the government has mandated that all accounts holders must also be linked through Aadhaar.

The Bhim app is just one of the entry points into your account. The possibilities of fraud are enormous once the linking of Aadhaar at various levels happens. For example, a trickster operating from outside India with leaked Aadhaar database and hundreds of POS machines can pull money out from bank accounts to an anonymous destination abroad.

Many cyber security experts are of the view that the Unique Identification (UID) programme launched in 2010 has evolved dangerously and will become a veritable password for those indulging in a range of cyber-related crimes. Initially meant to provide an identity for the poor and to ensure that there are no leakages in money transfers under various welfare schemes, the Aadhaar net has been widened to encompass virtually every aspect of life.

And each time one shares a number with a new agency/service platform, the number of points from which personal data can be accessed by undesirable elements multiplies. Once the data thief gains access to the data, which includes facial image, image of the iris and fingerprints, he can access the respective bank account because they will be linked to the Aadhaar card.

The dividends from data mining are so huge and the implications so varied that this has already begun. It will not be long before the crimes start. There are enough pointers which reveal how data is not secure with the government. This year there have been 21 reported case of data thefts and data leaks according to unofficial estimates. On 4 August Bangalore police arrested a former IIT-Kharagpur post graduate employed with car aggregator Ola for stealing the Aadhaar data of 40,000 persons from the server of the UIDAI.

In April this year,the Aadhaar details of one lakh pensioners in Jharkhand who had seeded their UID numbers to bank accounts was freely available on the website of the Jharkhand Directorate of Social Security. A report released in May 2017 by the Centre for Internet and Society (CIS), a Bangalore-based organisation looking at multi-disciplinary research and advocacy in internet use, reveals that in the past few months, data of 13.6 crore citizens was leaked from four major government data bases.

The Ministry of Electronics and Information Technology has acknowledged that theft is happening. A 25th March note of the ministry accessed by the New Indian Express, confirmed that bio-metric data was not secure. The same ministry on 5th March had issued a statement that Aadhaar data was absolutely secure. Why even Nandan Nilekani, the brain behind Aadhaar now admits there are “security concerns.”

You may wonder why has the government made Aadhaar mandatory for all citizens. Well, there are several spin offs for those in power and the political class. Should the Supreme Court rule in favour of Aadhaar then   surveillance of citizens can become 24/7 with the ID card becoming linked to bank accounts and cellphones and essential for buying air and rail tickets. So, those being hounded by the government (like many leaders were during the Emergency) will have nowhere to hide. They can be traced every time they operate their bank account, use their debit cards or buy a rail ticket or are contacted on the mobile phone. Big Brother can truly watch you without IB men shadowing you.

At another level, politicians, can plan their election campaigns since they will have nationwide micro data on people. And more importantly voters can be bribed by transferring funds into their bank accounts from anonymous benefactors in distant destinations. As one rights lawyer put it: “It will no longer be necessary for the candidate or his minions to distribute envelopes with currency to voters which can be caught by the Election Commission on video.”

Data theft and how it can be misused by crime syndicates has been underlined by experts. Sunil Abraham, Executive Director of CIS, has been quoted as saying: “Bio-metrics is an inappropriate technology for financial services. Linking Aadhaar, which has your bio- metric data, with bank accounts makes you a lot more vulnerable to financial frauds than before. The government needs to rethink its use for Aadhaar as it will impact over a billion people.”

Professor Anupam Saraph,an expert in governance of complex systems describes the linking of Aadhaar to bank accounts as a move which will “enable benami bank accounts and scale benami transactions to destroy the Indian economy along with the Indian banking system”.  He has blogged on how innocent account holders will find their UID numbers being used as “mules for money laundering”.  Worse, they can be “framed for economic offences” if someone deliberately transfers illegal money into their accounts.

Fingerprints from the Aadhaar database, once accessed, can easily be copied and used to implicate someone in a crime. Pandey believes it is a real possibility. “Your fingerprint can be placed at the scene of a crime by vested interests who can frame you with the help of the police. The prospect of misuse is frightening,” he said.

I also happened to interact with Colonel Thomas Mathew, a Bangalore resident who was one of the first to file a civil suit in the apex court against Aadhaar. He is of the view that bio-metric data does not serve as a credible proof of identity or even citizenship since the UID/Aadhaar number is for all residents in India who could be outsiders on an extended stay in the country.

He quotes the research paper, Biometric Recognition – Challenges and Opportunities by four US national academies – the National Academy of Sciences, the National Academy of Engineering, the Institute of Medicine and the National Research Council—to prove that fingerprints are unreliable. The first principal finding of the research was that “bio-metric recognition is inherently probabilistic and hence, inherently fallible”. According to estimates, under field conditions, the false matches are 1 in 16.

In the final analysis, before the nation heads towards a total Aadhaar regime, it is perhaps time for the government to reassess the entire UID programme. Also, it must recognise Aadhaar’s limitations and not promote its use as proof of identity.

As for linking it to bank accounts of individuals and those in businesses who operate accounts on behalf of companies, the less said the better. Let us not herald a dystopian future where corrupt and exploitative politicians criminals, tricksters and terrorists have a field day.