There is a distinct difference between identification and authentication. Worldwide, biometrics is mainly used for identification rather than authentication when the sample size is large. Yet, in India, the government and the UIDAI are trying hard to use the UID number for both identification and authentication
Given that the UID project—now branded as the Aadhaar project does not have legal sanction yet—the National Identification Authority (NIA) Bill was sent back by Parliament’s own standing committee, no cost benefit analysis yet, no feasibility study of any kind yet, it is interesting to look at the security issues of this project.
First of all, no expert worth his/her salt would believe that authentication using fingerprints works for a population anywhere close to this size. Worldwide, biometrics is mainly used for identification rather than authentication when the sample size is large. There is a distinct difference between identification and authentication which I would like to take some time to explain.
For instance, the US Federal Bureau of Investigation (FBI) has a biometric database of around 50 million or so people (note that this is not the biometric of American population which totals more than 250 million) which is checked against a fingerprint found in a crime site to see if a suspect is found among the people whose fingerprints are in the FBI database.
Matching of fingerprints for identification purposes requires careful, high resolution checks to see if two fingerprints are the same. Even with such a high resolution check, the FBI has made mistakes. In case of a terrorist incident in Spain a couple of years ago, it mistakenly nailed a lawyer from California based on fingerprint matching only to retract later. The FBI was later sued by the lawyer and it paid hefty compensation to the lawyer for its mistake.
Authentication is the process of checking only one fingerprint and at much lower resolution to see if the fingerprint in the database is the same as the one that is being produced for authentication.
Now how are the two different, you may ask?
To understand it, one needs to understand an important aspect, namely that this authentication at least as proposed by is done remotely and digitally. And herein lies the crucial difference. Thus, for instance if I have a digital image of your fingerprint, I can authenticate in your name. That is, I can impersonate you because I have the digital copy of your fingerprint. Now, it is not difficult to make a digital copy of your fingerprint. For instance, I can give you a glass of water to drink and when you touch that glass, your fingerprints will appear on that glass. By following a procedure—and instructions for such a procedure are available easily and even on the internet—I can then make a fake fingerprint made out of say ‘Fevicol’, wear it on my finger, and then use it for authentication. Thus, for all purposes, and as far as is concerned, I have impersonated you and I can now be eligible for the cash transfers that you are eligible for.
Please note that the above is possible in all circumstances—namely if authentication is to be done in automated fashion in say an ATM like machine or in a supervised condition where a supervisor picks up my fingerprint via a fingerprint scanner which he/she carries.
Now that the government is going to use UID for vast amounts of cash transfers, and given the proliferation of frauds in this country, one can imagine the windfall for fraudsters due to this. And add this to the fact that middle-men/agents who may carry this task in this country aren't exactly saints. They can lay their hands on fingerprints of a huge number of people either via digital copies or via making faking fingers and steal the entitlements of the people. Most people not knowing the technology behind all this would be clueless as to what is happening.
The above is by no means the only security issue with the UID project. There are many more serious security issues in this UID project. One of the other main ones is that of de-duplication. The whole UID project rests on the thesis that your identity, that is your biometrics—fingerprints and iris scans—are unique. Which means that each of the billion fingerprints in the database—assuming the database is say a billion strong—corresponding to the billion people are unique. That is, no two fingerprints corresponding to a particular finger in the database are the same. And how does ensure this? They claim to ensure this through a process which they call de-duplication.
Now what is de-duplication?
De-duplication is the following. Whenever a person’s biometrics—that is his/her fingerprints, and iris scans—are to be inserted in the database for the first time, there is a check made to ensure that these are not already present in the database, that is, they are not duplicated. That is, for each of the ten fingerprints of the person, a check is made against each and every fingerprint already present in the UID database corresponding to the particular finger to see if a similar fingerprint already exists in the database. Only if no similar fingerprint exists is the newly to be introduced fingerprint considered unique and introduced into the database. The UIDAI claims that this process is almost 100% accurate; that is, except for a small minute percentage, it will catch all the duplicates. And herein lies the problem. This claim is made by the UIDAI. However, there is no independent verification by any unbiased third party of this claim.
And this is the whole issue; should any sensible person believe the UIDAI’s claim when does not allow any independent third party access to verify its claim? Given that thousands of crores are at stake for and say finds that de-duplication is not working do you expect it to come out and say it?
There is no good reason to believe what UIDAI says is correct mainly because it has been completely non-transparent about the project, hasn't sincerely answered questions raised as part of RTI queries, as also has gone back on promised commitments to meet with independent experts who are part of civil society to discuss such issues.
I would not be surprised if de-duplication is not working and there are many persons out there, who have more than one UID allocated to them.
This is not all. There are other security issues as well. In any financial system based on authentication—and the UIDAI's system will deal with money worth thousands of crores to be doled out as cash transfers—there is a concept of a password. For instance, in case of internet banking or an ATM transaction, we have a PIN and we have different kinds of passwords such as login passwords or transaction passwords. No one in this world designs a system assuming 100% security. Perfect security does not exist and a good design while taking as much care on the security front has to always have a backup in case security is breached. That is the standard practice worldwide accepted among experts. Thus, for instance in case of a banking system, if my password is stolen, I call the bank, ask it to deactivate my current password and send me a new password. This basic principle is broken by because in the case of the system, the password is your biometric which cannot be changed. Thus, if you lose your biometric—and I have mentioned a way above by which your fingerprint image can be stolen—you are doomed. Because, you cannot get a new fingerprint, and your data will be lost forever to the person who stole your password. This is such a fundamental design flaw that it cannot be overemphasized. With how much ever care and how much ever security, there is a finite possibility that some people will lose their biometrics. In the current system, they will be shut down from the system for good.
In a way the above has already happened. In Mumbai, some fraudsters masquerading as official agents of for UID recruitment picked the biometrics of about 1,000 people. Now, these peoples’ identities are stolen for good; all the entitlements that they may be eligible for can be stolen by the fraudsters. The authorities, very stupidly, has asked these people to re-register for UID, something that is not going to help them because their biometrics is already lost and is with fraudsters and while re-registering them will pick the same biometrics from them again. Also, there has been a case where a laptop on which enrolment data was present was stolen.
Apart from all the other issues, there is always a possibility that the database itself is hacked into and stolen. Database could be a good target for terrorists. If I am not wrong, biometrics in this database is stored unencrypted, again a fatal mistake. Thus, if even part of this database is stolen, it is irreplaceable unlike a bank database where all that needs to be done is to deactivate the passwords and give new passwords to the customers. In the case, the only way out is to ask every Indian to undergo a surgery to change their fingerprints surgically, a practical impossibility not to mention other serious issues.
The UIDAI has no answers to the above questions, because there are none. The system’s security is flawed from the conception stage itself and it cannot be fixed so easily. It is indeed better to scrap this project and save taxpayers' money.
This is eighth part of a nine part series on UID
(Dr Samir Kelekar has a B Tech from IIT Bombay and PhD from Columbia University, New York. He is a security professional and runs a consultancy firm Teknotrends Software Pvt Ltd. He is also a holder of a critical US patent in the area of network security. Dr Kelekar consults in the area of security with banks, telecom companies and others.)
Is UID anti-people?–Part7: Incarnation of new geo-strategic tools, NCTC, NATGRID, UID, RFID and NPR
Is UID anti-people?–Part 6: The foundation for incessant intrusion
Is UID anti-people?–Part 5: Why UID is impractical and flawed “Ab initio”
Is UID anti-people?-Part 4: Does the implementation smack of corruption and negligence?
Is UID anti-people?-Part 3: Tall claims and tomfoolery of UID
Is UID anti-people? –Part 2: A bundle of contradictions, misconceptions & mirages
Is UID anti-people? The database state –Part1
Inside story of the National Stock Exchange’s amazing success, leading to hubris, regulatory capture and algo scam