AADHAR , Security & Privacy : Why we needn’t worry too much

AADHAR or UID or Unique ID is the massive project of government of India to issue unique digital identification to its citizens. Conceptualization of Unique ID dates back to early 2000s, it was implemented over the period with adopting emerging and evolving technologies and first AADHAR was issued in September 2010, further covering 1.19 billion of population till date. (source: AADHAR Dashboard )

However, over the past few months, there had been growing concern regarding the protection of the privacy and unique ID project. There had been many claims regarding security loopholes in the system and threats of exposure of personal data of AADHAR enrolled citizens. The citiezens are being wary due the fact that most have linked their bank accounts with AADHAR.

Being aware is always good but do we really need to get sceptical regarding India’s one of the most ambitious and massive project?

Let’s look at the AADHAR system in very simple terms and check whether your privacy is indeed at stake or not.

Why AADHAR?

AADHAR is for identification. There are indeed many other ID cards like PAN card, Passport, Voter ID etc but coverage of all other ID cards is limited, as low as 5% of total population in case of some cards. Although Voter ID cards have better coverage, they still lack the support of technology. Hence, AADHAR is the idea to identify all genuine residents/citizens of the India and allow them to avail their rights with minimum hassle.

Why AADHAR needs biometric details?

To eliminate duplication! Biometric details can not be duplicated (atleast as of now) and do not need any skills like literacy, thus those are uniquely and ubiquitously available with every resident/citizen. There had been problems with other ID cards like fake issues or duplicate issues. AADHAR tries to eliminate such problems with biometrics.

All well !

But concerns started growing when –

1] People noticed that their finger prints are now with government. It builds up a fear that some ill minded authorities (or even data thieves – hackers!) might access our finger prints and fabricate us in grave criminal acts. Thanks to cinema, we all know importance of fingerprints in forensics and legal evidences.

2] People noticed that a telecom major asks your AADHAR number and gets your thumb and issue you SIM card! They have all your data at their end in form of  KYC i.e. Know Your Customer.

 

And one thinks, do they too have my finger prints? My Bank account detail?

3] Government launches “AADHAR Enabled payment System” saying, you can pay now with AADHAR! And again one thinks, does it mean that if some hacker hacks the AADHAR database, he would sweep all the money in my bank account?

(reference:  various news reports, tweets, blog posts, social media discussions across the internet)

Answers to all the questions above is- NO!!

Even in spite of frequent allegations on AADHAR system regarding its security loopholes, it is safe to assume that AADHAR is safe enough to protect citizens of the India from the fears listed above.

AADHAR architecture is well thought and designers of the AADHAR had already thought for your security and privacy.

Let’s look at the operation of the AADHAR system and address the concerns of above.

AADHAR is managed by the authority UIDAI formed by the Government of India for the management of UID project.

Being afraid of tedious and mammoth content generation, I would not delve into need of eKYC and AADHAR linking to bank accounts. All further content will subscribe to the views that AADHAR is enabled with eKYC verification process and AADHAR linking to bank account is essential or beneficial. eKYC is knowing the customer or identifying the genuine consumer of goods and services with the support of electronic data.

Interested readers may read :

1] for eKYC requirement and  process: AADHAR based KYC

2] for bank account linking and DBT: AADHAR and DBT (Source: RBL Bank)

Let’s first look at access to biometric details.

 

During AADHAR generation, details of the enrolee captured along with the biometric data are stored at central ID repository or CIDR by UIDAI. This is storage can be viewed as multilevel storage where demographic data and biometric data of the user are stored at logically separate levels with proper encryption. Demographic data includes name, address, date of birth etc and biometric data includes iris, fingerprints etc of the enrolee.

AADHAR has been regulated by a legal framework. The AADHAR ACT 2016 mandates the UIDAI that biometric details must only be used for generation of AADHAR. Biometric details should not be stored by any device in AADHAR operation flow and should not retrieved on demand.(reference: AADHAR Act 2016)

Due to security reasons, the system has always been designed in such way that there is only one way entry for biometric data. Thus, implementation of the act becomes easy for the system. Biometric details can only enter in CIDR and can never be retrieved or fetched or queried by anyone. Only demographic details can be queried and fetched. Biometric details are accessed through AADHAR eKYC/Authentication system.

Since only incoming is allowed for biometric details and no outgoing –

1)     No agency, company or supreme authority can access and store your biometric details from CIDR.

2)     Updation to biometric data is allowed considering unfortunate events like accidents or natural changes that may happen in biometrics

3)     No agency or administrator can get your information or identity by searching against the fingerprint.

4)     No hacker can query the biometric data because no system exists which fetches biometric data and thus, no system is available to hack! Only system resides at CIDR matches the input combination of biometric and demographic data and replies with yes or no (i.e. match is successful or not)

       Fig 1 – CIDR logical view

Then how eKYC works? How access to demographic data is permitted? What if banks or telecom companies asking for my fingerprint store my fingerprint details in their servers?

Answers to these questions can be found in UIDAI EKYC API Specification. Interested readers can read the complete specifications here.

There are multiple elements which work in eKYC system which are formally defined as:

1.      An Authentication User Agency (AUA) who provides services to users that are successfully authenticated. Thus, an AUA connects to the CIDR and uses Aadhar authentication to validate a user and enable its services. Examples of AUAs and services are banks, telecom companies etc. AUA with KYC permission (i.e. permissions to access KYC) are called as KUA. 
2.       An Authentication Service Agency (ASA) is an entity that has a secure leased line connectivity with the CIDR. ASAs transmit authentication requests to CIDR on behalf of one or more AUAs. An ASA enters into a formal contract with UIDAI. Again, ASA with KYC permissions is called as KSA. 
3.       PID or Personal Identity Data (PID) is Aadhar-based Personal Identity Data /Information including biometric and demographic information as well as the OTP (one time password delivered to registered mobile number) used for Authentication

So, PID is, your AADHAR number plus fingerprint data, or your AADHAR number plus OTP, or (for complaints of lost AADHAR) name, date of birth etc information and fingerprint.

 

AUA/KUA and ASA/KSA are the entities registered with UIDAI. No random entity can be permitted to enquire KYC details of the enrolee. To capture biometric data, Biometric devices are used. These devices are duly audited and must not store any biometric information anywhere. Also, the applications that capture PID at front end i.e. at the AUA/KUA end are duly audited and they have to communicate with ASA/KSA and eKYC system as per standard protocol mentioned in API specifications as above. These apps are also not allowed to store biometric data and have to encrypt the PID data before transporting.

 

Operation of eKYC/Authentication service:

1 ) When user/enrolee visits AUA/KUA (i.e. users of eKYC like banks, mutual fund companies, telecom companies etc) PID is captured (refer above). PID includes biometric data which indicates the consent of the enrolee to fetch the KYC.

2) PID block is encrypted at the AUA/KUA end and transported by permitted apps to ASA/KSA.

3) ASA/KSA may add to the encryption and sends the data to CIDR eKYC system.

4) eKYC  authentication system checks for the AADHAR number /Data and matches with biometric/OTP submitted. If it is matched, authentication system replies ‘Yes’ else, replies as ‘No’. this is the only outward response available from the system that can access biometric data at CIDR.

5) If authentication report is positive, eKYC system fetches demographic data if required, encrypts it and submits to ASA/KSA. ASA/KSA transport it to AUA/KUA. For KYC purpose, AUA/KUA are permitted to store demographic data.

6) No direct access to even eKYC system makes the whole process even more secured. There are many security checks and sanity checks in the process which I have avoided to keep it simple.

 

               Fig2   source: UIDAI eKYC API specifications document.

 

In this way, demographic data of user/enrolee can be availed or verified by the agencies without extracting biometric data.

Thus, we should be relaxed that our biometric data at UIDAI is totally safe. It can never be fetched, it can only be matched or overridden.

 

It should be a hint by now, if biometric details are not fetch-able, bank accounts too must be secured in similar or some way!

Yes, you are right.

 There is no direct access to bank accounts just like there is no access to biometric data. The abstraction is provided by the NPCI  (National Payments Corporation of India )

 

NPCI is the responsible agency for other across the bank electronic payment methods like online transfers, NEFT/RTGS etc. For AADHAR enabled payment systems (AEPS) or other AADHAR based financial services like Direct benefit transfer etc; NPCI manages a separate system called AADHAR payment bridge or APB. For authentication purpose, NPCI/banks too communicates with eKYC system of CIDR.

 

I would put here summarized account of the APB operation. Interested readers can read the detailed procedure here.

 

A lot can also be known by reading the FAQs at NPCI regarding APB here.

 

It should be noted that NPCI separately conducts secured data transportation process. APB is a secured system in itself.

 

NPCI itself doesn’t store AADHAR –Bank account data. Instead, NPCI itself just stores “AADHAR –to- Bank where AADHAR is seeded” data. For any AADHAR based operation, NPCI communicates with the core banking system of the bank which in turn stores AADHAR to account number mapping. Means, simply hacking AADHAR data won’t leak your bank account number. Or, hacking NPCI server is also of no use, they do not store account number at all. One needs to hack the server of the bank where AADHAR is seeded. And, this server is again protected behind the several levels of security.

 

 

 Fig 3

 

Lets now quickly look at how AEPS work.

Say, user 1 , with AADHAR number ID1 and AC no AC1 wants to pay ₹  1000 to user 2 with AADHAR number ID2.

 

User 1 visits his bank, bank 1 (or even authorized PoS), there, he provides his account number and/or AADHAR number and fingerprint and AADHAR number of user2.

Fingerprint and AADHAR number matching report is obtained from eKYC system of CIDR.

User 1’s account mapped with AADHAR i.e. AC1 is debited. Report is sent to NPCI that ₹ 1000 are to be credited to AADHAR ID2. NPCI checks mapping, ID2 is mapped to bank2, report is sent to bank 2 to credit ₹ 1000 to the account linked to ID2.

 

Bank 2 checks mapping of ID2 with AC2 and credits ₹  1000 Ac2!

 

This is how all operation is done!

 

So, even our concern regarding exposure of bank account data or sweeping amount is ruled out due the strong security and abstraction of data provided in the architecture.

 

But what about all the news regarding leakage of AADHAR data?

If we notice carefully, all news items claim the leakage of demographic data. There is no single report till date where biometric or banking data is leaked. As per UIDAI, AADHAR number, name and mobile number is not considered as the secret data but, it is classified as the sensitive data. We must be aware and informed that demographic data can not be used to trace anyone, fabricate anyone or to access bank accounts. Even, any operation to be done using AADHAR can not be merely done with the demographic data but, biometric capture or OTP is essential at every event which makes the system highly secured.

 

Those who are still interested in more technical details of the architecture, security and privacy can refer to the paper presentation at IIT Delhi here ( a paper by Shweta Agrawal, Subhashis Banerjee & Subodh Sharma).

 

-          Chaitanya D Sangwai (originally written in January 2018)

 

 

Feel free to share!!

 Suggestions or feedbacks are welcome at : sangwai.chaitanya@gmail.com or in comments section

Recommended readings and references:

1.       Official UIDAI site :  https://uidai.gov.in/

2.       AADHAR enrolment data https://uidai.gov.in/aadhaar_dashboard/

3.       AADHAR Act 2016 , a legal framework for AADHAR - https://uidai.gov.in/images/targeted_delivery_of_financial_and_other_subsidies_benefits_and_services_13072016.pdf

4.       UIDAI EKYC API Specifications https://uidai.gov.in/images/aadhaar_ekyc_api_2_0.pdf

5.       AADHAR payment bridge operational specifications https://www.npci.org.in/sites/all/themes/npcl/images/PDF/APB_Standard_operating_procedure.pdf

6.       FAQs at NPCI regarding APB  https://www.npci.org.in/apbs-faqs-banks

7.       Privacy and Security of Aadhar: A Computer Science Perspective http://www.cse.iitd.ac.in/~suban/reports/aadhaar.pdf ( a paper by S Agrawal, S Banerjee & S Sharma)

 

Maths Puzzle: What is greater? e^pi or pi^e!

Find out which one is greater,
e^π  or π^e  

condition is not to use calculator or make any calculation in powers of 2.73... or 3.14...

This is fairly simple mathematical riddle that needs understanding of high school level Mathematics. A friend of mine asked this to me[he was asked this in some interview], along with proper reasoning. And I realised, this fairly simple riddle becomes quite difficult for 'mathematics layman' like me! Thanks that I was not facing any such interview.

After some struggle, I managed to find the solution. Then googled to check what solutions are available for this on net. There were many solutions on the net ranging from 3/4 lines to a verbose description, using variety of methods (including the one I used) with most popular being use of derivatives.

The method I followed is as below:

Let π = e^k        ----------------- (I)

L H S	Comparison/Operation	R H S
eπ		πe
ee^k	Put π = ek	ek.e
ek		k.e
ek-1	Dividing both sides by e	k

 

Now, let’s go by definition of e, e = (1+1/x)^x , Where x is infinitely large, for the closest value, x can be considered as the huge  number.

Also, e^k =      (1+k/x)^x ------------------- (II)

Result in (II) is arrived from the fact that, as per definition, e is also equal to

(1+k/x)^x/k  for x/k which is infinitely large. Just, raising power by k to the both sides gives us equation in (II).

Applying (II) for (k-1) and Expanding (II) with binomial theorem,

e^k-1 =      (1+(k-1)/x)^x

       =     1+  x. (k-1)/x    + ^xC₂ . (k-1)²/2! + …. 

       =    1 + k – 1 + other terms involving (k-1)

        =   k + other terms involving (k-1)  --------------- (III)

Now, it is clear that for all positive values greater than 1, RHS of (III) is always greater than k. for k=1, other terms will be zero and it will be equal to k.

Hence, e^k-1 > k,  for all k>1.

As π > e, it is clear that k > 1.

Hence table completes as,

L H S	Comparison/Operation	R H S
eπ		πe
ee^k	Put π = ek	ek.e
ek		k.e
ek-1	Dividing both sides by e	k
ek-1	>	k
LHS	>	RHS
eπ	>	πe

 

Thus,

e^π  > π^e

- Chaitanya D Sangwai (09th July 2016).