Aadhaar linking to everything poses serious national security challenges

The widespread adoption of Aadhaar numbers and linkages to Unique Identification (UID) programme databases for the purpose of authenticating sensitive transactions should give pause to India’s foreign policy and military planners. That Aadhaar is a centralised database, and therefore susceptible to cyber attacks, is already known. But pervasive “Aadhaar-isation” brings together systems and platforms in a digital ecosystem without interoperable standards for security.

The UID is device-agnostic. Whether an Indian enters her Aadhaar number into a virus-infested desktop at a local cyber cafe or a highly secure iPhone, her device is linked to and authenticated by the Aadhaar database. In almost all cases, there is a two-step authentication process, involving a one-time password from the user. The UID Authority of India claims such authentication (at its most basic level) is a simply “Yes/No” interaction of the Aadhaar database with the machine, and that no biometric or personal information is sent back. Biometric or demographic records of Indians are available today in multiple databases, and hardly an invitation to target Aadhaar servers. Based on the specific transaction involved – filing tax returns, transferring money or purchasing health insurance – Aadhaar, however, creates a “map of maps” of Indians identifying, the platform, device, location and successful/failed attempts at authentication. Coupled with the demographic data that can anyway be extracted from an insecure mobile phone or app, this Aadhaar authentication data is of strategic value to a foreign adversary. (READ MORE)