On 28 July, newspapers reported that UIDAI, the state-owned agency that manages India’s unique identity project, Aadhaar, had filed a police complaint against Qarth Technologies, a company that was acquired in 2016 by Ola, India’s largest ride-sharing platform.
UIDAI accused Qarth’s founders of illegally accessing the Aadhaar data for all of 2017. And yet strangely, UIDAI also maintained that “there has been no breach, no leakage and no theft of data.”
The victimless crime wasn’t the first, and it won’t be the last. Because Aadhaar’s privacy and security goals are in conflict with its commerce and identity ambitions.
At the simplest level, Aadhaar as a unique 12-digit number solves the ID problem for everyone in india via biometric deduplication. Basic demographic details such as name, date of birth, photograph, email address and a phone number along with iris and fingerprints are stored in a central identity data repository (CIDR), also known as the core.
At last count, over 1.15 billion Indians were enrolled under Aadhaar, including over 99% of those over the age of 18.
From the beginning, experts said that centralisation of such a big database was bad system design and would be vulnerable to attacks. By way of answer, it was protected by layers of firewalls and never exposed to the rough badlands of the public internet, where rogue hackers regularly scan every single known address for vulnerabilities and ruthlessly exploit them.
But over time, Aadhaar evolved from just an identity project to a mammoth identity platform, linking together every aspect of modern life—taxes, schools, subsidies, healthcare, banking, home ownership, telephony and even post-retirement pension.
But a locked down database is not of much use when your ambition is to be an identity platform that would take on Google and Facebook in scope. Because for the Aadhaar project to succeed it has to provide value, and value can be provided only if the data collected is shared and made available to all applications that rely on Aadhaar.
And thus, the core stayed locked down while hundreds of applications now formed the periphery, together making up the Aadhaar ecosystem. But with the core being impregnable for all practical purposes, what about the security of the periphery?
Secure core, porous periphery
Securing the Aadhaar periphery—composed of hundreds of different types of apps and services from hundreds of different entities—is much tougher than securing the Aadhaar core. And even if it were technically possible to secure them all, it would slow down the growth of the Aadhaar ecosystem.
Thus the Indian government provided a neat solution—what if a law could be passed that penalise an application at the periphery leaking data? Surely the fear of jail and loss of reputation would make application developers pay attention to data security went the thinking.