A few weeks ago, a senior editor wrote a scathing column denouncing critics of Aadhaar. Dismissing them as “Aadhaarophobics,” he said that their fears are grossly exaggerated and the surveillance raj that they complain about is more imagined than real. He went on to elaborate in good measure that no government in its right mind would expend time and resources to gather information on where 134 crore Indians go, who they argue with, what they eat, the hotel they check into, the flight the take or the medicines they are prescribed.
Even if the government was interested in shadowing a few categories of citizens — politicians, bureaucrats, judges, journalists, intellectuals, activists and the creative elite — it had the Intelligence Bureau (IB) and other agencies to do the job. Why would it need Aadhaar to keep track? As arguments go, it was admittedly forceful, although some experts would say it was a shade too simplistic for the world we live in where digital crime is mushrooming and is no longer science fiction.
Indeed, if it was just an issue of mindless monitoring of citizens, then data security would not be a matter of serious concern the world over. The data surveillance industry would also not be a business that runs into several hundred billion dollars; in the US alone, it is worth $156 billion annually and is twice the size of the country’s intelligence budget.
Very clearly the business transcends much beyond governments prying into the lives of its citizens. Today, data is being mined by various vested interests — powerful tech-savvy crime syndicates, big corporations, terrorists, rogue elements in governments, intelligence agencies and even political parties. Among those who seek data are those who use it to commit financial crimes, seek revenge and implicate people in crimes by impersonating or stealing their identity. Data can also be stolen by government agencies to trigger a crime wave or panic in a rival nation.
Big corporations and businesses, on the other hand, use data sourced overtly or covertly from sources ranging from social media networks to the government to sharpen their marketing and sales strategies or to unfairly derail the competition. And they do all this without the knowledge of people whose lives they are peeping into and whose personal data they are wantonly stealing and using.
Marc Goodman, formerly with the FBI and Interpol, in his widely acclaimed book Future Crimes talks about the new surveillance economy and the dangers that it poses. To quote: “The explosion of data has led to the creation of a brand new industry for transnational organised crime groups, and mass identity theft is the result… Furthermore the theft of personally identifiable information is a gateway to crime that leads to any number of other criminal offences such as financial fraud, insurance fraud, tax fraud, welfare fraud, illegal immigration and even terrorist finance. Exponential growth in data is leading to exponential growth in online crime.”
According to Goodman, 13.1 million Americans are victims of identity fraud annually. That works out to one citizen every two seconds.
To make matters worse, new technology, including 3D printers, helps make duplication of fingerprints easy. So, the big question is how secure is data with the Unique Identification Authority of India (UIDAI), which administers the Aadhaar database or will it to be a gateway for criminals and vested interests to exploit?
The Aadhaar data bank, which includes biometric information of citizens, if eventually linked to bank accounts, PAN numbers, welfare schemes, insurance policies, pension accounts, mobile phones, credit cards etc, would be seen by data thieves and crime syndicates as a goldmine to be exploited. In fact, experts are agreed that the more interlinked we are digitally, the more vulnerable we are to the new criminals who are tech-smart and are known to employ the services of expert hackers.
Future Crimes does briefly touch upon Aadhaar, which is the largest biometric identity database in the world, covering 1.2 billion citizens. In this context, it notes that “while a national government biometrics database sounds as if it might be a useful tool in catching criminals and terrorist, it is not without its own privacy and security risks”. The book cites the example of Israel where the entire national biometric database was hacked a few years ago and sold to Crime Inc (an international syndicate) and posted online in the digital underground or the dark net.
Biometric data, once stolen, unlike passwords, cannot be reset. It is impossible to change your fingerprint or iris scan. They are, permanent identification markers, which once copied by hackers, can be misused forever. To make matters worse, new technology, including 3D printers, helps make duplication of fingerprints easy. So, the big question is how secure is data with the Unique Identification Authority of India (UIDAI), which administers the Aadhaar database or will it to be a gateway for criminals and vested interests to exploit?
That national databases are vulnerable became evident when last November, the US Senate Commerce Committee probing how to protect citizens from major data breaches, discussed the need for re-examining the Social Security Number (SSN) given to citizens, perhaps even scrapping it. The Committee was looking at security concerns in the light of the hacking at Equifax, one of three consumer credit reporting agencies, which revealed in September 2017 that data of 145.5 million US customers had been compromised.
The hackers accessed names, social security numbers, driving licence numbers and other personal details. “This is exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, cell phone companies and other businesses vulnerable to fraud. As a result, all 145.5 million US victims are at greater risk of identity theft, and will remain at risk for years to come,” Bruce Schneier, special advisor to IBM Security and the Chief Technology Officer of IBM Resilient, reportedly told the Committee.
In India, the authorities have for long been in denial mode when security breaches were reported in the Aadhaar database. These were dismissed as stray incidents or teething problems inevitable in a data collection exercise involving the entire country.
In fact, it was as recently as July 2017 that Ajay Bhushan Pandey, CEO of UIDAI, assured the public in a media interview that Aadhaar numbers being stolen should not be a matter of concern. “What I would like people to understand is that Aadhaar is not a secret number like your password or PIN (personal identification number), which can materially affect your life tomorrow if it is leaked without your knowledge,” he had said.
So, what changed in six months for UIDAI to execute a U-turn in its stand this January? Was it a slew of data leaks reported in the media in the last few months that forced it to announce new measures to secure the 12-digit unique ID number? The Virtual ID — a temporary 16-digit number that can be used by users in lieu of the Aadhaar number and changed from time to time as directed — is now the new mantra to stop the leaks.
But will that alone ensure that biometric data is safe? Or is this a knee-jerk reaction to quieten the critics and to assure the Supreme Court — currently hearing the Aadhaar matter — that all is well? Are we still in the unsafe zone where our data is vulnerable, ready to be tapped by criminals and by the government to mount a surveillance on those it wishes to target? And what about the biometric data and Aadhaar numbers that have already been stolen and are up on sale on the Internet? Is the UIDAI waking up rather late in the day or, as former finance minister P Chidambaram put it, “is it bolting the stables after the horses have fled”?