Indian authorities issue conflicting advice about biometric ID card security
Government authority forced to backtrack warning that photocopied Aadhaar cards represent a risk
The Unique Identification Authority of India (UIDAI) has backtracked on advice about how best to secure the "Aadhaar" national identity cards that enable access to a range of government and financial serivces.
UIDAI promotes the cards as "a single source offline/online identity verification" for tasks ranging from passport applications, accessing social welfare schemes, opening a bank account, dispersing pensions, filing taxes or buying insurance.
Although Bill Gates has lauded Aadhaar cards for improving access to services, the scheme has been the subject of many security-related scares as inappropriate access to personal information has sometimes been possible, UIDAI's infosec has sometimes been lax, and the biometrics captured to create citizens' records have sometimes been used for multiple individuals. Privacy concerns have also been raised over whether biometric data is properly stored and secured, if surveillance of individuals is made possible through Aadhaar, and and possible data mining of the schemes' massive data store.
UIDAI did not help assuage such fears last Friday, when its Bengaluru office issued that card-holders should not share photocopies of their Aadhaar card because it could be “misused.” Copies of cards were sometimes required when checking into hotels.
The organisation advised users instead to use a “masked version” of the card that only displayed the last four digits of the holder's identity number. UIDAI also warned against erroneously leaving copies of an Aadhaar on public computers, like at a café or kiosk, or giving away information to organizations that are not licensed to use Aadhaar as a credential.
- Infosys admits it still hasn't fully fixed Indian tax portal
- Global tech industry objects to India's new infosec reporting regime
- Indian government promises One Portal To Rule Them all in support of colossal infrastructure build
- India slightly softens infosec incident reporting and data retention rules
That advice did not go down well as users recalled the many occasions on which they had provided a copy of their Aadhaar cards.
What non- sense is this! After suggesting(if not forcing)all of us to share #Aadhar with every tom dick and harry, all private companies, all mobile companies, all hotels and after many many assurances in Courts on safety, now #UIDAI @UIDAI come up with this! Cheating public 🤬😡 pic.twitter.com/1d2XtRsjkH— N. Baijendra Kumar (@baijendra) May 29, 2022
UIDAI has previously advised, in an FAQ that “no Aadhaar holder has suffered any financial or other loss or identity theft on account of any said misuse or attempted impersonation of Aadhaar.” The document was likened to a mobile phone number or bank account number, something that requires “ordinary protection” to secure privacy.
By Sunday, UIDAI issued a clarification that the warning was issued in the context of potential photoshopping of an Aadhaar card and that due to misinterpretation, the organization was withdrawing the advisory issued from Bengalurus.
#Aadhaar holders are advised to exercise normal prudence in using and sharing their Aadhaar numbers.— Aadhaar (@UIDAI) May 29, 2022
In view of possibility of misinterpretation the press release issued earlier stands withdrawn with immediate effect.https://t.co/ChmbVs8EjJ@GoI_MeitY @PIB_India
“UIDAI issued Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers,” said UIDAI in a canned statement before describing the technology’s ecosystem as having “adequate features for protecting and safeguarding the identity and privacy” of the user.
That advice, and the fact that an altered card would not change the centrally-stored ID info in the Aadhaar database, seems to have satisfied many. But UIDAI has not clarified how photoshopping an Aaadhaar card would create a risk. The Register fancies replacing the photograph on the card could make it a handy fake ID - hardly worth the panic of recommending against an established practice. ®