India Insights with Geetha Nandikotkur

Biometrics , Governance & Risk Management , Multi-factor & Risk-based Authentication

Analysis: Supreme Court Ruling Against Aadhaar Mandate

Allowing Time to Adequately Address Security
Analysis: Supreme Court Ruling Against Aadhaar Mandate

Those concerned about the security of India's Aadhaar biometric ID are pleased that the Supreme Court of India has ruled that linking Aadhaar numbers to bank accounts, payment cards and mobile phones cannot be mandatory until security issues are adequately addressed.

See Also: Automation for the Modern SOC: Automating Phishing Response and Threat Intel Enrichment with Splunk SOAR and TruSTAR

Alhough the top court ruled Tuesday that the use of Aadhaar will remain mandatory for accessing social welfare schemes and subsidies, it set aside other mandates until the court can decide whether that violates the right to privacy, especially in light of recent security incidents.

Aadhaar has been surrounded by controversy regarding its capability to secure citizens' data. 

The Supreme Court indefinitely extended the March 31 deadline for Aadhaar linkage until the constitution bench delivers a judgement on the matter.

The 12-digit Aadhaar number, linked to demographic and biometric information of all residents and a photograph, is issued by the Unique Identification Authority of India. It's widely used for proof of identity and address.

Aadhaar has been surrounded by controversy regarding its capability to secure citizens' data.

Mumbai-based Dinesh Bareja, head of the Open Security Alliance, praised the court's decision. "It only proves the Supreme Court is not convinced about UIDAI's security mechanism and considers it premature [to mandate Aadhaar]," he says.

The five-judge Constitution bench of the Supreme Court, headed by Chief Justice of India Dipak Misra, said the government cannot insist on mandatory Aadhaar. The bench said it may not be possible to decide by March 31 on the batch of petitions challenging the constitutional validity of the Aadhaar Act because arguments could take longer.

Linking Aadhaar: A Premature Move?

Last November, the RBI mandated that all banks use Aadhaar as the primary form of authentication for anyone accessing their bank account in any way, personally or electronically, stirring a debate among security practitioners about its long-term role and data security issues.

RBI said linking Aadhaar to bank accounts is mandatory under the Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017 published in the Official Gazette on June 1, 2017.

But recent security incidents called into question whether the RBI mandate was premature. And it appears the Supreme Court weighed these incidents in making its decision.

For example, The Tribune recently reported that details tied to more than 1 billion Aadhaar numbers was being made available for sale for just Rs.500 over WhatsApp.

In addition, a French researcher, who goes by the names Elliot Alderson and Baptiste Robert, reported that he could access Aadhaar-related data of the Telangana State Postal Service and telecom provider BSNL, which proved UIDAI servers are easily hacked (see: Data of 47000 BSNL Employees Exposed)

Alderson claims this could be achieved by a manual search on the application and could be accessed by a cardinal SQL injection attack.

Bareja contends that UIDAI's decision to outsource critical data storage services to a third party, without controls to monitor the third party, played a role in the lack of Aadhaar data security.

Aadhaar Security: Can It Be Fixed?

Some security experts argue that the various Aadhaar data leakage incidents were caused by poor implementation of security, monitoring and authentication mechanisms.

"Ascertaining where the compromise occurred is a challenge - whether at the Central Identities Data Repository or at the user agency system level; there is little information about whether data has been secured," says Bengaluru-based Naavi Vijayashankar, a cyber dispute risk management consultant and cyber law expert.

It's puzzling why UIDAI's CEO, Dr. Ajay Bhushan Pandey, dismissed the news reports about Aadhaar data leaks, calling them "irresponsible" because they were based on reports of "a few Aadhaar cards reportedly put on the internet by some unscrupulous elements."

UIDAI is taking two key steps to add a layer of security. It's introducing a Virtual ID - a temporary, 16-digit Virtual ID number that Aadhaar holders can use for authentication. It's also introducing a UID Token - a 72-character alphanumeric string all entities can use to ensure customer uniqueness. However, these are not yet tested (see: Aadhaar Getting Additional Security Layer).

K. K. Mookhey, CEO & Founder, NII Consulting, says that theoretically, VID and UID tokens would help authenticate transactions. "But the fundamental question remains: Is my Aadhaar private or not, as UIDAI clearly says the Aadhaar number is not an authentication mechanism. Then why do I need a virtual ID when it cannot be used for authentication purposes or if no service provider will validate transactions based on this number?"

In light of all the security concerns, it's good news, indeed, that the Supreme Court is looking into making amendments to the Aadhaar Act to ensure it clearly articulates security and privacy clauses.

About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Managing Editor, Asia & the Middle East, ISMG

Nandikotkur is an award-winning journalist with over 20 years of experience in newspapers, audiovisual media, magazines and research. She has an understanding of technology and business journalism and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a group editor for CIO & Leader, IT Next and CSO Forum.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.