Want Anybody's Personal Details From Aadhaar, India's Billion-Person Identity Database? Yours For $8

from the Aadhaar-admin-accounts-also-available-on-request dept

We’ve been writing about the world’s largest biometric database, India’s Aadhaar, since July 2015. Over 1.1 billion people have now been enrolled, and assigned an Aadhaar number and card, which represents 99.9% of India’s adult population. There are currently around 40 million authentications every day, a number that will rise as Aadhaar becomes inescapable for every aspect of daily life in India, assuming it survives legal challenges. That scale necessarily entails a huge infrastructure to handle enrollment and authentication. So it will comes as no surprise to Techdirt readers that it turns out you can obtain unauthorized access to the Aadhaar system very easily, and for very little cost. As the Indian newspaper The Tribune revealed:

It took just Rs 500 [about $8], paid through Paytm [an Indian online payment system], and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

What is more, The Tribune team paid another Rs 300 [$4.75], for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.

Given the repeated assurances by the UIDAI that the Aadhaar database was completely secure, this is big news, and led to some breathless damage limitation by the Indian authorities on Twitter. The UIDAI explained that: “Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details”; and: “There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometric”. Although it may be true that this is not a biometric data breach, it nonetheless reveals a serious vulnerability in the system’s design, and on a vast scale. According to the original article in The Tribune, more than 100,000 “village-level enterprise operators”, hired to help with Aadhaar enrollment, have been offering this kind of unauthorized access to the database. In fact, the problem seems to be even more serious than simply providing login credentials to thousands of people. Here’s what another Indian site discovered:

Following up on an investigation by The Tribune, The Quint found that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that’s not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters — the Aadhaar database won’t ask.

Even if biometric data is not involved, it’s hard to see how UIDAI could claim that these aren’t breaches of the database, or deny that the entire Aadhaar system is seriously compromised. It’s almost inevitable that the security of an important database system will be defeated eventually in some way, since the rewards are by definition so high. The fundamental problem with Aadhaar is its underlying intent — to create a single, giant database with key personal information about a billion people that can be accessed very frequently and very widely. That’s never going to be safe, as the inevitable future breaches will confirm.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Want Anybody's Personal Details From Aadhaar, India's Billion-Person Identity Database? Yours For $8”

Subscribe: RSS Leave a comment
Deepak says:

Lol. It is not unauthorized access.
Some official with an authorized access to a customer grievance portal allowed someone to lookup for name and address for a given aadhar number. Do you share your SSN? If others don’t have your aadhar they can’t lookup your details. Its funny how people interpret this as a compromise of UIDAI system.

Andrew Watson says:

As predicted ....

It’s all playing out exactly as predicted by the NO2ID campaign when it was fighting the proposed United Kingdom ID card ten years ago:



After an extended narional campaign, we got the UK scheme stopped. Thank goodness.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...