UIDAI has asked police to investigate, it was not fully convinced about nature of the incident
The Unique Identification Authority of India (UIDAI) has registered a criminal case against unknown persons after it found that biometric details of individuals were illegally stored and used for carrying out unauthorised transactions.
Under the UIDAI Act, storing of biometrics and using these for any purpose other than for authentication or verification by the registered agencies is a criminal offence punishable by a jail term of at least three years.
Though the UIDAI has asked the police to investigate, it was not fully convinced about the nature of the incident.
In the First Information Report (FIR), reviewed by Business Standard, the UIDAI said “certain persons in clear violation of the provisions of the Aadhaar Act, 2016, the IT Act and other provisions of various laws in force have tried to do unauthorised authentication, impersonation and have indulged in spreading false rumour regarding the Aadhaar eco-system.
The issue was enquired into at the UIDAI headquarters and it was found that the video posted in the said article presumably demonstrated a lady performing authentication under the name of Gaurav Vasant Nikam.”
UIDAI got into action after Sameer Kochhar of the Skoch group wrote an article and posted a video on Twitter allegedly showing how the “Aadhaar authentication system was flawed and vulnerable.”
“In a conversation someone claimed that Aadhaar data can be hacked and explained the process. Finding it incredible, I asked the person for proof and I was sent a video claiming an ethical hack of Aadhaar, which I published with the story.
We have the electronic trail of the related communication with the source. We have never asked anyone to hack the Aadhaar data and I have neither ever met nor know the people in the video who did the hack.
I am a patriot first and then a journalist and did my duty,” Kochhar said, denying any knowledge that a case has been registered against him. “I have no knowledge of it and no one has approached me,” he said.
In its own investigation, the UIDAI found that Aadhaar data was intact on its servers, but some multiple concurrent transactions had taken place using the same biometrics at the end of its empaneled agencies.
The UIDAI investigation revealed that the biometric match score was the same for many transactions. Match score can be constant only if the biometrics are stored and re-used. An individual’s match score differs every time because of multiple angles and hand pressure while matching fingerprints.
UIDAI has asked the Delhi Police to investigate violation of various provisions under the UIDAI Act, Information Technology Act, and the Indian Penal Code. The thinking in the UIDAI was that the incident could be a deliberate attempt to tarnish its image. But there was no deniability that the incident has exposed the vulnerability at the end of the authentication user agencies (AUAs).
The police has registered a case against unknown persons under penal code Sections 409 (criminal breach of trust by public servant, or by banker, merchant or agent), 419 (punishment for cheating by personation), and 120 B (criminal conspiracy). Besides invoking provisions of the UIDAI Act, the police has also added Section 65 (tampering with computer source documents) and Section 66 C (punishment for identity theft) of the IT Act.
The UIDAI, which heard its AUAs on Monday, was now deliberating whether it should take action against the authenticating user agency by terminating their contracts or wait for the police to complete its investigation.
Currently, about 400 agencies, both government and private, are registered with the UIDAI for the purpose of authentication and e-KYC (know your customer) as well as cashless transactions through the Aadhaar-enabled payment system.
These agencies use Aadhaar services without paying a fee. The agencies take fingerprints of a person and then relay these to the Aadhaar database for verification.
The UIDAI sends back a message confirming or denying the identity of the person. Similarly, banks use the Aadhaar payment system to make cashless transactions by taking the fingerprints of the person and matching it with the Aadhaar database.
Till date, 320 million monetary transactions have taken place using the Aadhaar-based payment system and over 4,000 million transactions have used Aadhaar for authentication purposes.
Experts have criticised the Union government on two accounts. They alleged that the government spent hundreds and thousands of taxpayers’ money to build databases to help private businesses save huge cost.
Their argument was based on the fact that telecom service provides and banks had saved huge amounts of money, which they would have otherwise had spent on verification of their customers and storing the data both offline and online.
Government official, however, argued the Centre wanted to promote Digital India and the current policy was for betterment of residents.
“If the government don’t give this service for free, service providers will charge fee from customers. In future, we may charge service providers,” said a senior government official, who spoke on condition of anonymity.
But the critics are worried the biometric data of more than 500 million stored on Aadhaar can be accessed by empanelled agencies and misused.
The recent incident of alleged storage of biometrics and its alleged misuse by some authentication user agencies has brought back an old debate about safe storage of biometrics.