Indian authorities issue conflicting advice about biometric ID card security

Government authority forced to backtrack warning that photocopied Aadhaar cards represent a risk

The Unique Identification Authority of India (UIDAI) has backtracked on advice about how best to secure the "Aadhaar" national identity cards that enable access to a range of government and financial serivces.

UIDAI promotes the cards as "a single source offline/online identity verification" for tasks ranging from passport applications, accessing social welfare schemes, opening a bank account, dispersing pensions, filing taxes or buying insurance.

Although Bill Gates has lauded Aadhaar cards for improving access to services, the scheme has been the subject of many security-related scares as inappropriate access to personal information has sometimes been possible, UIDAI's infosec has sometimes been lax, and the biometrics captured to create citizens' records have sometimes been used for multiple individuals. Privacy concerns have also been raised over whether biometric data is properly stored and secured, if surveillance of individuals is made possible through Aadhaar, and and possible data mining of the schemes' massive data store.

UIDAI did not help assuage such fears last Friday, when its Bengaluru office issued that card-holders should not share photocopies of their Aadhaar card because it could be “misused.” Copies of cards were sometimes required when checking into hotels.

The organisation advised users instead to use a “masked version” of the card that only displayed the last four digits of the holder's identity number. UIDAI also warned against erroneously leaving copies of an Aadhaar on public computers, like at a café or kiosk, or giving away information to organizations that are not licensed to use Aadhaar as a credential.

That advice did not go down well as users recalled the many occasions on which they had provided a copy of their Aadhaar cards.

UIDAI has previously advised, in an FAQ that “no Aadhaar holder has suffered any financial or other loss or identity theft on account of any said misuse or attempted impersonation of Aadhaar.” The document was likened to a mobile phone number or bank account number, something that requires “ordinary protection” to secure privacy.

By Sunday, UIDAI issued a clarification that the warning was issued in the context of potential photoshopping of an Aadhaar card and that due to misinterpretation, the organization was withdrawing the advisory issued from Bengalurus.

“UIDAI issued Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers,” said UIDAI in a canned statement before describing the technology’s ecosystem as having “adequate features for protecting and safeguarding the identity and privacy” of the user.

That advice, and the fact that an altered card would not change the centrally-stored ID info in the Aadhaar database, seems to have satisfied many. But UIDAI has not clarified how photoshopping an Aaadhaar card would create a risk. The Register fancies replacing the photograph on the card could make it a handy fake ID - hardly worth the panic of recommending against an established practice. ®

Broader topics

Other stories you might like

  • India shares its e-government tools with all as India Stack
    Identity, payments, data management – the lot – as digital public goods

    The Indian government has decided to share with the world the many e-governance tools it has created to run the country, under the name

    Prime minister Narendra Modi announced the stack yesterday, declaring "This offering of India to the Global Public Digital Goods repository will help position India as the leader in building Digital Transformation projects at a population scale and prove to be of immense help to other countries which are looking for such technology solutions."

    Such nations can now get their hands on India's identity service Aadhaar, the DigiLocker cloud storage locker, the CoWin Vaccination Platform, the Government e-Marketplace, and the Ayushman Bharat Digital Health Mission.

    Continue reading
  • Intuit pulls QuickBooks from India, uncomfortably quickly
    Walks away from enormous but parochial market, while leaving global development teams in place

    Accounting software colossus Intuit has decided to pull its QuickBooks product from India.

    The decision comes into effect on January 31 2023, after which QuickBooks products and service offerings for accountancy and small business customers will no longer be available in the world's second most populous country.

    "After careful consideration, the decision was made that we can no longer continue to deliver and support QuickBooks products that serve the needs of small businesses and accounting professionals across India," reads a notice posted yesterday.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading

Biting the hand that feeds IT © 1998–2022