Aadhaar Needs a Revisit as Third Parties Make it Vulnerable

By: Faisal Kawoosa, Head – New Initiatives, CMR

Aadhaar as it has been envisioned is to provide a digital authentication system for everyone who wants to use it to validate and verify the credentials of a person approaching for it.  From service providers’ point of view, it brings in ease as they could do real time verification and sign up a user. Now, as the authentication platform becomes widespread in use, it is catching attention of smaller players in the industry, who may not be either able to invest in making systems secure or have the expertise to take appropriate data security measures.

The other side, irrespective of the size of the operator or any entity, government as well, using Aadhar for KYC purposes, is that they mirror the data they have on their servers with that of Aadhar to verify the details.  In this case, even if the data from Aadhar could not be used, the data residing on their private servers could be used for any purpose and may be vulnerable as well.

The issue with current framework of Aadhar and its authentication processes is that it allows any third party to collect data and then verify that with what is stored using an Aadhar number.  Once verified, the data is of same significance as in the Aadhar Data Centres.

What is required to change is not letting any entity to collect data from an individual and then verifying it with Aadhar infrastructure.  Let’s get a bit deeper into why does anyone require Aadhar verification? Take for instance the case of someone approaching a telecom operator for a mobile services connection.  Essentially, it would want to know the name, address and age to issue one. Now, if there is a mechanism put in place where all such requirements are designed to be checked from an ERP of a telco that connects with Aadhar platform through an API.  In this case, the applicant, fills in his/her name and submits the Aadhaar number. The system would then request Aadhar servers to verify if the applicant is of the same name, is an adult and lives in say Delhi. Once, the system checks if the applicant meets the prerequisites, it could simply send a verified message to the screen of the operator or its agent issuing the SIM cards.  In this case, there is no data stored on the third party as well as nothing is fetched from the Aadhar servers other than just validation of pre-defined parameters. However, as required, the service provider could be provided further information on request in case the consumer defaults, etc., and it becomes necessary to know the exact address of residence of the applicant. Similarly, for banking there could be a different set of parameters defined, so on and so forth.   

The requirement to make Aadhar more secure is to actually ensure that there is no loophole where a third-party entity using their platform to validate the credentials is able to access or store the data on their local servers.  Unless this happens, there is every apprehension that through Aadhar number someone could potentially access other information by hacking in to the ‘porous’ systems of entities using it. Else, whatever levels of reinforcements and hardenings UIDAI keeps on adding to Aadhar platform, the threat of data leaks, that too verified will hover around.

Leave a Reply

Your email address will not be published. Required fields are marked *