On 28 July, newspapers reported that UIDAI, the state-owned agency that manages India’s unique identity project, Aadhaar, had filed a police complaint against Qarth Technologies, a company that was acquired in 2016 by Ola, India’s largest ride-sharing platform.

UIDAI accused Qarth’s founders of illegally accessing the Aadhaar data for all of 2017. And yet strangely, UIDAI also maintained that “there has been no breach, no leakage and no theft of data.”

The victimless crime wasn’t the first, and it won’t be the last. Because Aadhaar’s privacy and security goals are in conflict with its commerce and identity ambitions.

At the simplest level, Aadhaar as a unique 12-digit number solves the ID problem for everyone in india via biometric deduplication. Basic demographic details such as name, date of birth, photograph, email address and a phone number along with iris and fingerprints are stored in a central identity data repository (CIDR), also known as the core.

At last count, over 1.15 billion Indians were enrolled under Aadhaar, including over 99% of those over the age of 18.

From the beginning, experts said that centralisation of such a big database was bad system design and would be vulnerable to attacks. By way of answer, it was protected by layers of firewalls and never exposed to the rough badlands of the public internet, where rogue hackers regularly scan every single known address for vulnerabilities and ruthlessly exploit them.

But over time, Aadhaar evolved from just an identity project to a mammoth identity platform, linking together every aspect of modern lifetaxes, schools, subsidies, healthcare, banking, home ownership, telephony and even post-retirement pension.

But a locked down database is not of much use when your ambition is to be an identity platform that would take on Google and Facebook in scope. Because for the Aadhaar project to succeed it has to provide value, and value can be provided only if the data collected is shared and made available to all applications that rely on Aadhaar.

And thus, the core stayed locked down while hundreds of applications now formed the periphery, together making up the Aadhaar ecosystem. But with the core being impregnable for all practical purposes, what about the security of the periphery?

Secure core, porous periphery

Securing the Aadhaar peripherycomposed of hundreds of different types of apps and services from hundreds of different entitiesis much tougher than securing the Aadhaar core. And even if it were technically possible to secure them all, it would slow down the growth of the Aadhaar ecosystem.

Thus the Indian government provided a neat solutionwhat if a law could be passed that penalise an application at the periphery leaking data? Surely the fear of jail and loss of reputation would make application developers pay attention to data security went the thinking.

AUTHOR

Anand Venkatanarayanan

Previously a Senior Engineer with NetApp, Anand describes his current affiliations as "Chief Financial Officer at HasGeek during the day, Security Researcher during evenings and Privacy Advocacy after dark. He was mostly into Data Security and recently has taken an interest in application and end point security. He is a known privacy buff and mistakenly believes that everyone should care about their privacy.

View Full Profile

Available exclusively to subscribers of The Ken India

This story is a part of The Ken India edition. Subscribe. Questions?

MOST POPULAR

Annual Subscription

12-month access to 200+ stories, archive of 800+ stories from our India edition. Plus our premium newsletters, Beyond The First Order and The Nutgraf worth Rs. 99/month or $2/month each for free.

Rs. 2,750

Subscribe
 

Quarterly Subscription

3-month access to 60+ new stories with 3-months worth of archives from our India edition. Plus our premium newsletters, Beyond The First Order and The Nutgraf worth Rs. 99/month or $2/month each for free.

Rs. 1,750

Subscribe
 

Single Story

Instant access to this story for a year along with comment privileges.

Rs. 500

Subscribe
MOST POPULAR

Annual Subscription

12-month access to 150+ stories from Southeast Asia.

$ 120

Subscribe
 

Quarterly Subscription

3-month access to 35+ stories from Southeast Asia.

$ 50

Subscribe
 

Single Story

Instant access to this story for a year along with comment privileges.

$ 20

Subscribe

Questions?

What is The Ken?

The Ken is a subscription-only business journalism website and app that provides coverage across two editions - India and Southeast Asia.

What kind of stories do you write?

We publish sharp, original and reported stories on technology, business and healthcare. Our stories are forward-looking, analytical and directional — supported by data, visualisations and infographics.

We use language and narrative that is accessible to even lay readers. And we optimise for quality over quantity, every single time.

What do I get if I subscribe?

For subscribers of the India edition, we publish a new story every weekday, a premium daily newsletter, Beyond The First Order and a weekly newsletter - The Nutgraf.

For subscribers of the Southeast Asia edition, we publish a new story three days a week and a weekly newsletter, Strait Up.

The annual subscription will get you complete, exclusive access to our archive of previously published stories for your edition, along with access to our subscriber-only mobile apps, our premium comment sections, our newsletter archives and several other gifts and benefits.

Do I need to pay separately for your premium newsletters?

Nope. Paid, premium subscribers of The Ken get our newsletters delivered for free.

Does a subscription to the India edition grant me access to Southeast Asia stories? Or vice-versa?

Afraid not. Each edition is separate with its own subscription plan. The India edition publishes stories focused on India. The Southeast Asia edition is focused on Southeast Asia. We may occasionally cross-publish stories from one edition to the other.

Do you offer an all-access joint subscription for both editions?

Not yet. If you’d like to access both editions, you’ll have to purchase two subscriptions separately - one for India and the other for Southeast Asia.

Do you offer any discounts?

No. We have a zero discounts policy.

Is there a free trial I can opt for?

We don’t offer any trials, but you can sign up for a free account which will give you access to the weekly free story, our archive of free stories and summaries of the paid stories. You can stay on the free account as long as you’d like.

Do you offer refunds?

We allow you to sample our journalism for free before signing up, and after you do, we stand by its quality. But we do not offer refunds.

I am facing some trouble purchasing a subscription. What can I do?

Please write to us at [email protected] detailing the error or queries.