Aadhaar prime target for criminals, could cripple economy: RBI paper

Aadhaar, the biometric-based identification that is now mandatory for all Indian citizens, faces a potential threat from cyber criminals which can cripple the economy, according to a white paper by the Institute for Development and Research in Banking, affiliated to the Reserve Bank of India.

The finding comes even as Aadhaar is in the news for the wrong reasons after a newspaper recently exposed how easily the personal data of any individual can be purchased.

The paper, 'Biometric and Its Impact in India', was a part of Staff Papers series published in its October 2017 edition.

''Thanks to Aadhaar, for the first time in the history of India, there is now a readily available single target for cyber criminals as well as India's external enemies,'' a white paper authored by Dr S Ananth, adjunct faculty of the institute, said.

The paper has flagged issues related to Aadhaar such as problems of access to the last mile, issues with the quality of authentication, unclear financial benefits and security concerns and said that there needs to be caution in the manner in which the government is linking more economic programmes and activities with Aadhaar.

The paper said the benefits of Aadhaar – which the government is seeking to make mandatory for virtually every service, including non-government ones like banking and mobile telephony – are unclear.

Since its inception, Aadhaar has been involved in debate, especially over privacy and information leak concerns. The latest of these controversies is an investigative story reported in The Tribune on 3 January. It alleged that unrestricted access to details of over one billion Aadhaar numbers can be purchased at as little as Rs500 (See: Your Aadhaar details are up for sale, price: Rs500).

Calling for caution in the manner in which Aadhaar was being used by the government, the paper said, ''Only time will tell if the benefits outweigh the costs or vice versa.'' It adds that its impact on direct benefit transfers has not been studied enough.

''In a few years, attacking UIDAI data can potentially cripple Indian businesses and administration in ways that were inconceivable a few years ago. The loss to the economy and citizens in case of such an attack is bound to be incalculable,'' it said.

India created the Unique Identification Authority of India (UIDAI), a statutory authority under the provisions of the Aadhaar Act, 2016, in July of the same year. It works under the Ministry of Electronics and Information Technology. The UIDAI has so far issued more than 111 crore Aadhaar numbers to Indians, according to a posting on its website.

Aadhaar faces a number of challenges over the short and long-term, according to Dr Ananth.

''The primary challenge is to protect the data from prying and profit seeking excess of the business world. The problem is compounded because they have to satisfy their shareholders in a competitive business environment that rarely looks beyond the quarterly profits and the operational dynamics of stock market listing.

''A more worrisome aspect is that Aadhaar is increasingly becoming the pivot for the operation of various economic and administrative activities. In an era when cyber threats are frequent, the major challenge for UIDAI is to protect the data under its control since the biometrics is now an important national asset which has huge ramifications for various government programmes and the banking system.''

Other than that there is the issue of privacy, ''The problem is now compounded with the linkage of bank account, driving license, phone number and a host of other services to Aadhaar. It means that the Aadhaar number will be available in databases of each and every service provider. Hence, any breach of the database of one provider has the potential to compromise the details of the Aadhaar numbers.''

A more serious privacy concern, Dr Ananth wrote, was that UIDAI promises to archive the data for five years.

''Since UIDAI's vision has no qualms about allowing private service providers, Indian and foreign, to participate in developing an ecosystem related to it, one wonders how security of data of companies that are essentially foreign in nature and those that have little legal and economic exposure or interest other than profit in India, can be ensured,'' he wrote.

The paper called for caution in the manner in which Aadhaar was being used by the government, especially as more programmes and economic activities were linked to it. ''Only time will tell if the benefits outweigh the costs or vice versa.''