Is the UIDAI database vulnerable?
Moneylife Digital Team 01 October 2010

UIDAI is trying to create a ‘unique’ database through its ambitious UID number project. But state governments planning to tag numerous details to the UID number and allowing other entities access to the system could leave the database vulnerable to misuse

The Unique Identification Authority of India (UIDAI), the agency assigned with the task of giving a unique identification (UID) to every resident in the country is faced with a situation. Already, some state governments are seeking to add multiple dimensions to the UID number, raising a question mark on the nature and security of the UIDAI database.

The Press Trust of India has reported that the Orissa government has decided to include at least a dozen-odd specifications to the UID number, like ration card number, BPL/APL number (below poverty line/above poverty line), NREGS data (National Rural Employment Guarantee Scheme), driving license number, PAN number, photo i-card number, passport number, kissan and credit card number, LPG consumer number, Rashtriya Swasthya Bima Yojana number (national health insurance scheme), pension ID number and pass book number. How long will it be before other states, say Maharashtra provides a UID number without the biometrics inputs, or Uttar Pradesh adds sub-castes, gotra, or an individual's financial details to the UIDAI database?

Kerala has declared that it will provide the UID number to over 60 lakh schoolchildren in the state under the UIDAI initiative. The UID number, stored in a central database, will give access to a student's profile, complete with biometric data and demographics, including photograph, iris picture and fingerprints. Kerala has selected Akshaya, IT@School and Keltron as enrolment agencies for the work.

KK Anvar Sadath, executive director, IT@School, has been quoted as saying that "while 'Aadhaar' requires information on name, gender, date of birth and address (called KYR-know your residence-details), we will collect other details like class name and admission number from the students. From this database, the KYR fields will be filtered to separate software provided by the UIDAI."

In countries around the world where a national ID card system is being used, these IDs are given only to those above the age of 14 years and not to school-going children between five years and 14 years of age. According to a white paper published by UK-based Information Risk Management Plc (IRM), capturing biometrics of children, particularly those below the age of 16, is problematic. The size of biometric elements like fingerprints and faces change a lot through the adolescent years. Similarly, biometrics being taken of children may lack sufficient features to satisfy the initial enrolment process, giving rise to problems in the biometric system.

Now the UIDAI has opened a can of worms by agreeing to allow access to registrars, like state governments and banks, as well as insurers who will collect individual data for the authority through their know-your-customer (KYC) database. This means that any company may be able to access the huge database (of about 60 crore people expected by the end of 2015) simply by becoming a 'registrar' and using the data for their marketing initiatives. Also, the registrar, whether it is a bank or an insurer, could make it mandatory for customers to have a UID number if they want to continue to receive services.

An IT expert pointed out that such projects could not be run with just one person in control, for how will anybody know whether the system is not being misused? There is a need for implementable laws to check any misuse and this is a flaw with the UIDAI project.

Last heard, the UIDAI had selected three consortia-Accenture, Mahindra Satyam-Morpho and L1 Identity Solutions-to implement the core biometric identification system for the Aadhaar programme. UIDAI has stated that the three agencies would design, supply, install, commission, maintain and support the multi-modal automatic biometric identification subsystem. The three vendors would also be involved in development of multi-modal software development kit (SDK) for client enrolment stations, the verification server, manual adjudication and monitoring functions of the UID application.

Our emails to UIDAI chairperson Nandan Nilekani and managing director RS Sharma remained unanswered till writing the story. 

1 decade ago
Your knowledge is misplaced. UID interface can only allow validation of the information provided by the user himself and that too only if biometrics are provided. Can you explain how can anybody 'ACCESS' data in such a scenario. You seem to read everything except this fact that UID only provides Y or N.
Replied to Vijay comment 1 decade ago
Vijay, thanks for your comment. Unfortunately, for us Indians knowledge, of any kind is never misplaced. For biometrics verification, here a thumb scanner with a limited user database costs about Rs11,500. (You can enlighten all of use how much it costs in Canada?). The question is who will bear this cost of biometrics scanner? And what about the unlimited access to 'registrars', because it the very same people/organizations that are going to feed the data into UIDAI servers. Hope you understand concerns of people staying in India.
Replied to MDT comment 1 decade ago
Of course there is possibility of misuse. So what ? My details are going to marketing people and somebody who is not suppose to call me when I get a prepaid mobile sim. SSN is there in USA. Why not UID in India. I am for it. I can just say that it should be most secure one. I believe our government to some extent. Till now I am safe under it. Even if something happens to me, its a failure of Government and we cannot deny having UID. I welcome it. Nilakeni has much more to work than answering for media. The AADHAAR project will speak. Just like we knew him when he was in Infy. Or somebody to answer media can be appointed when so called fourth pillar raises questions.
Replied to Krish comment 1 decade ago
Krish....first you need to know the difference between SSN and UID. SSN contains no biometric identifiers of any sort while UID is based on two most important biometrics, finger prints and IRIS scans. In addition, it still is not clear as who would handle/manage the UID number database, whether it will be UIDAI (Nandan has kept mum on this) or any other agency?
As per answering questions, the UIDAI did appoint some of the best 'connected' PR journalists, but they are busy with other tie-ups and have no time to provide straigh forward answers. How many of them understand UID is still a debatable question, worth being used in KBC ;-)
Free Helpline
Legal Credit