
India’s Aadhaar Software Hacked, ID Database Compromised, Experts Confirm - anivar
https://www.huffingtonpost.in/2018/09/11/uidai-s-aadhaar-software-hacked-id-database-compromised-experts-confirm_a_23522472/
======
lovelearning
I have to admire the courage of the people who have investigated and reported
this, given that the entire leadership of UIDAI and its backers in the central
government are intolerant of any criticism and have been known to file police
complaints[1] against journalists, critics and whistleblowers. Even its
visionary and leading cheerleader from the private sector preferred to imagine
conspiracies rather than acknowledging its weaknesses [2].

[1]: [https://thewire.in/tech/uidai-files-fir-tribune-reporter-
aad...](https://thewire.in/tech/uidai-files-fir-tribune-reporter-aadhaar-
breach-story-report)

[2]: [https://timesofindia.indiatimes.com/india/theres-an-
orchestr...](https://timesofindia.indiatimes.com/india/theres-an-orchestrated-
campaign-to-malign-aadhaar-nandan-nilekani/articleshow/62453569.cms)

~~~
vthallam
you link anything to `thewire.in`, I would call it propaganda. The other
commenter on the thread asked a question about why can't the said journalist
back up the claims about a $10 app.

Hate the govt all you want, but the Aadhar as you know is started by previous
govt. It is if designed properly a good way to eradicate corruption for
welfare schemes, so any ideas on how to do that are more appreciated than
playing blame game on HN.

~~~
pritambaral
> you link anything to `thewire.in`, I would call it propaganda.

So you would colour everything by a certain journal with the same brush,
without even looking into the reported claims? In the cited case, the content
in the link (and the claim for which they were cited) is easily verified from
multiple sources: [1], [2], and [3]. Even when The Daily Mail reports
something outrageous and easily verified I verify it, and The Daily Mail is a
tabloid.

> Hate the govt all you want, but the Aadhar as you know is started by
> previous govt.

This is neither here nor there. The "previous govt." was four years ago. In
these four years, the current govt. — who used to claim to be staunchly
against Aadhaar back then — have turned tail and zealously forced people into
registering for Aadhaar and linking it with their phones, bank accounts, and
even made it mandatory for kids to attend school. "But four years ago, someone
else started it!" is a pointless argument when the current party has far more
than enough time to fix it, or even just acknowledge the flaws.

> so any ideas on how to do that are more appreciated than playing blame game
> on HN.

Criticism is not a "blame game", unless the criticised turns it around and
blames someone without accepting or refuting the criticism. Entertaining and
listening to criticism _IS_ a good way to improve one's product, not stuffing
one's fingers into one's ears and claiming your product is the best ever and
"unhackable" and filing police complaints against your critics to silence
them.

\----

1:
[https://www.livemint.com/Politics/hZGXG4q43ZeeTp2HH5QlaK/Aad...](https://www.livemint.com/Politics/hZGXG4q43ZeeTp2HH5QlaK/Aadhaar-
data-breach-UIDAI-files-FIR-against-The-Tribune-j.html)

2: [https://www.tribuneindia.com/news/nation/uidai-responds-
afte...](https://www.tribuneindia.com/news/nation/uidai-responds-after-
outrage-over-fir-against-tribune-reporter/524951.html)

3: [https://www.firstpost.com/india/uidai-files-fir-against-
the-...](https://www.firstpost.com/india/uidai-files-fir-against-the-tribune-
reporter-rachna-khaira-for-aadhaar-data-breach-story-4291109.html)

------
kcsomisetty
I expected better discussion on HN (apart from sensationalist articles), the
article does a poor job intentionally though.

Summary

1\. Existing data is not compromised

2\. Duplicate data can't be entered or overwritten

3\. BUT, ghost accounts can be created easily.

Aadhar was introduced to fight ghost accounts who siphon off subsidies
provided for poor. This hack/patch defeats that purpose.

I still think this is not a big problem as it looks on surface, if Enrollment
software is hacked to accept iris data from photograph,

Can't the Aadhar DB (post enrollment) be scanned for all enrolled iris data
with poor quality iris data and they be monitored and deleted ?

Another problem is still there, what if the operators enroll citizens from a
different country as indians, essentially creating ghost accounts (from
citizens of different country). i dont know how to stop such a situation.

Biometrics is never a good model for authentication, i dont know what these
people were think when they designed it.

~~~
denzil_correa
> I expected better discussion on HN (apart from sensationalist articles)

There are three people across three different parts of the world who
corroborate the report - CTO of a global technology group, a security based
analyst and a professor of Computer Science. I wonder how this is
"sensationalist".

> "Having looked at the patch code and the report presented by Anand, I feel
> pretty comfortable saying that the report is correct, and it could allow
> someone to circumvent security measures in the Aadhaar software, and create
> new entries. This is pretty feasible, and looks like something that would be
> possible to engineer," Wallach said.

~~~
amf12
> There are three people across three different parts of the world who
> corroborate the report - CTO of a global technology group, a security based
> analyst and a professor of Computer Science. I wonder how this is
> "sensationalist".

OP is not negating the problem. However, the title implies that the existing
database has been breached, which is not true. Author could have given a
better title which implies that ghost entries could be added and existing data
has not been compromised.

~~~
intended
The whole point of the system is to give a single confirmed Identity for
citizens of India.

at this point the purpose of the exercise has been voided.

Saying that "the data has not been compromised" is a red herring, thats the
case for when our biomterics are lost and our privacy breached which is a
whole _different_ issue with this database, one among many of its other
problems.

At this point if the data is crud, whats the point of using this system?

~~~
ppurka
Actually, having an Aadhar number does not imply that the person is a citizen
- this is one of the statements present in the application form itself. So, it
is possible for non-citizens to have an Aadhar number.

~~~
lenkite
So Aadhar is meant for the whole world including our neighbouring citizens
(and Intelligence agencies) of Pakistan and China ? Thank you for educating
me, I didn't know that. Its truly wonderful and neighbourly that they get the
convenience of self-registration without providing proof and customizing their
bio-metrics during upload. Only Indian citizens should be held to a higher
standard.

------
Karupan
As an Indian developer, I cringe every time the government claims a system is
un-hackable. Especially when contracts are handed to one of the big Indian IT
companies. Having started my career in one of those companies, I saw firsthand
how most of the development process was just filling in gaps. Security through
obscurity was thought to be “highly secure” and security experts were non
existent.

No surprises that the database was compromised. Aadhar is a fundamentally
flawed system and nothing will ever be done about it.

~~~
kamaal
No amount of 'security' will help here. That's because every one including the
people don't give a dime about 'security' in India.

In Aadhar enrollment centers, passwords are shared. You might like to
introduce an OTP like concept, but phones are shared too. 2FA? nice try, but
then people also share answers to security questions. Next what? DNA
authentication? Biometrics? guess what none of those are any where near
reliable and they are mostly identity related things and not authentication
related things.

There is also government policy. Which is lapse. Mostly run by civil servants
who understand nothing about technology. IAS is largely a trivia testing exam
with focus on things like meeting and group discussion skills. The head of
UIDAI recently claimed that data could not have been possible stolen as the
data was still in their database :)

This is a phenomenal lapse at every level.

Software is one thing, but if your people have decided to work around it, its
basically all over.

~~~
vishnugupta
+1.

We also need to consider the motivations for working around 2FA or any such
authentication systems. One is convenience as you've pointed out.

The other, much bigger motivation IMO, is opportunity to make money. As the
article points out once enrolment was outsourced (Rs30/enrolment) it was
immediately seen a money making venture so a whole bunch of these centres with
dubious credentials surfaced. They were entrusted with document verification
too so they would happily accept just about any piece of paper as proof of
address. Then there was a business of charging desperate people money to
create Adhaar account without which they wouldn't get subsidies.

And then they shut down (50,000 or so) these enrolment centres. Did they
expect that all those employed at those centres who lost their jobs to not do
anything about it!? Of course they would figure out ways to enrol people!!

------
amrrs
Time and Time again Aadhar's privacy data have been compromised and Yet,
Officials have strongly denied all those claims - only possible because still
people believe all the false claims by those officials and government in terms
of Aadhar. Even to the level that a guy once wrote a scraper (opensourced on
github) that can fetch Aadhar info online.

It's no doubt that Aadhar was a blatant copy of bringing an SSN-type ID in
India but failed terribly as the Government was more interested using Aadhar
to show their domination rather than put it for actual purpose. Eg: Govt made
Aadhar mandatory for Tax filing, India's Top Supreme Court denied. The same
thing happened in many instances.

This is a nice lesson, why simply coping a solution from the US can't be made
to work in a developing nation because the system and officials are so fragile
that they need to be first fixed than the solution itself!

~~~
signal11
Aadhar is nothing like SSN. I wish it was. SSN doesn’t require biometrics —
Aadhar takes fingerprints and iris scans. School kids don’t need SSNs to sit
for their school boards. You can sit for university exams without SSNs. You
can shop at Amazon without giving them your SSN[1].

[1]
[https://news.ycombinator.com/item?id=15796242](https://news.ycombinator.com/item?id=15796242)

In fact SSN use has become more restricted over time, thanks to various pieces
of privacy legislation. Meanwhile in India they still don’t have _any_ privacy
legislation last I checked, so it’s open season on your data.

Aadhar is ambitious all right — an attempt to assign every every Indian
resident a number and use that number as a unique key for almost everything
(public or private). The surveillance opportunities this presents is
breathtaking.

Of course the good folk at India Stack love this because it enables them to
build better apps. Move fast and break things, indeed.

~~~
n_t
watch this
([https://www.youtube.com/watch?v=Erp8IAUouus](https://www.youtube.com/watch?v=Erp8IAUouus))
and tell me if SSN is good for even US?

------
elyobo
Undeniably bad, but I'm fighting off a slight sense of schadenfreude here, due
to their prior claims[1].

[1] [https://www.troyhunt.com/is-indias-aadhaar-system-really-
hac...](https://www.troyhunt.com/is-indias-aadhaar-system-really-hack-proof-
assessing-a-publicly-observable-security-posture/)

~~~
zik
Yes it looks like their security was really amateur hour stuff too, with a lot
of the authentication done on the client side. This makes their claims that it
was "hack-proof" look particularly embarrassing.

------
walterbell
Apparently the breach is now being proxied by the fired private operators
through government offices. Can this cashless money flow be traced? Even
burner mobile phone numbers are linked to the same compromised national
identity database.

Who could benefit indirectly from the breach? Could the Indian government turn
to Facebook and WhatsApp for help with identity profiling? Is Facebook Indian
data held in Indian data centers?

This story will find its way into future documentaries on the history of
"Papers Please".

 _> in February 2018, the UIDAI terminated all contracts with common service
centres as well .. Henceforth, only banks and government institutions like the
postal service can enrol Aadhaar users. As a consequence, tens of thousands of
young men, with rudimentary education but great familiarity with the Aadhaar
system, were put out of work.

> In interviews, out-of-work operators claim they can still use the hacked
> enrolment software to generate enrolment ids (the first step in the Aadhaar
> registration process) and have tied up with sources working in authorised
> centres who complete the registration process for a fee.

> ... creates a whole new set of problems and could defeat many of Aadhaar's
> purported aims, such as reducing corruption, tracking black money,
> eliminating fraud and identity theft. It also means that the Aadhaar
> database is vulnerable to the same problems of ghost entries as any other
> government database

> the Indian government has sought to make Aadhaar numbers the gold standard
> for citizen identification, and mandatory for everything from using a mobile
> phone to accessing a bank account.

> Sourcing the patch is as easy as gaining access to one of thousands of
> WhatsApp groups where the patch, and the usernames and passwords required to
> login to the UIDAI's enrolment gateway, are sold for as little as Rs 2,500.
> Payments are made through mobile wallets linked to phone numbers that
> quickly go dead after the transactions are complete._

~~~
wiz21c
>>> Who could benefit indirectly from the breach?

This and who will buy those data ?

Everybody scream about the hack but I've never found a comprehensive study
over how these personal data are sold, abused. Maybe to break gazillions of
FaceBook/github/you-name-it accounts ? Then what, who will use those data ?
Thieves ? Criminals ? If it's just that well, that's a minor inconvenience.

If it's secret services of adversary powers, well, that's a whole lot
different.

Anybody has facts on that ?

~~~
wtmt
> Then what, who will use those data ? Thieves ? Criminals ? If it's just that
> well, that's a minor inconvenience.

It's only a minor inconvenience if you can sit in a comfortable place and
pontificate on Hacker News about these things. Seems like you're not even
aware that people have already lost their pension money or bank account
balances or didn't get food that they were entitled to and died in the process
— everything related to the coercion in the Aadhaar system and how it can be
misused by others for fraudulent purposes.

Perhaps your privilege in life is standing in the way of understanding how bad
things are with the Aadhaar system. Please search for #AadhaarFail on Twitter,
look for articles on scroll.in and thewire.in (two sites that some people do
hate) and rethinkaadhaar.in.

~~~
wiz21c
Now I'm reading my comment again, I see how I offensed some people here. My
idea was more like "globally thinking", like in "geopolitics", in that case,
even a few deaths is not much (it's like people who allocate money for cancer
research : they have to make sure the population is globally better; it
doesn't mean every one should get out alive). And my wording was rather poor.
Sorry it was absolutely not the idea I wanted to convey. Mea culpa.

------
DyslexicAtheist
Indian government site asking for aadhar data in Bihar:

[http://210.212.23.57/online/OnlineApply/Notice.aspx](http://210.212.23.57/online/OnlineApply/Notice.aspx)

They just made aadhar mandatory for every school kid in Mumbai Maharashtra.
Good luck to anyone who has to share share their childrens details on an
insecure platform.

~~~
amf12
>
> [http://210.212.23.57/online/OnlineApply/Notice.aspx](http://210.212.23.57/online/OnlineApply/Notice.aspx)

HTTP. FFS.

~~~
pritambaral
It's not like HTTPS would have helped much. It's an arbitrary IP address. How
is a user supposed to verify an arbitrary IP address is not an attacker? This
is what '.gov.in' is supposed to be for.

------
rohan1024
> In 2017, the UIDAI said it had blacklisted 49,000 enrolment centres for
> various violations, and in February 2018, the UIDAI terminated all contracts
> with common service centres as well.

Seems like they are well aware of this hack.

Skimming through the article, it seems the attacker can register himself in
the system but not read data from the system. Also, there's no mention of 1.2B
records being compromised.

~~~
bhanu423
Actually, the records are already public, remember the fiasco where Telecom
Regulatory Authority of India’s Chairman RS Sharma had posted his Aadhar
number online. The whole point of the Aadhar Challenge was to demonstrate
leaked database/Aadhar number is not an issue. Apart from the curated datasets
that can be bought even on Facebook groups, it is actually very easy to mine
large datasets from Google itself.

~~~
walterbell
Any references on this topic?

~~~
bhanu423
I don't want to post any direct link to anything but you are google 'Aadhaar
data leak through Google search' to vast amounts of links/references. Kinda
Meta right, I know. If you want to know more about the incident you can google
'aadhaar challenge'.

------
n_t
One of the reasons why India needs some kind of people authentication is
rampant corruption! Corruption at a scale that most of people in Europe or US
cant even imagine. Add to it the culture which celebrates corruption and
eulogizes people who find loopholes in system. As soon as a policy or rule is
implement, someone gets to work to find a loophole and profit. Schemes and
subsidies for poor get siphoned by rich and powerful by creating fake people,
less than 2% of citizen's pay taxes by just disappearing in records, billions
of dollars of unnamed properties exist because owners are fake people on
record, someone else appears for exam on a student.

While I still dislike citizen's database, I can also see why some kind of
person authenticator is needed for country like India. I sat through UIDAI
architects presentations, and from what I could tell that substantial thought
was given to design. So while I maintain skepticism for such database, I also
believe India needs some way authenticate various transactions (monetary or
otherwise). SSN is a joke, at least Aadhaar was given substantial thought.

~~~
akudha
_someone gets to work to find a loophole and profit_

Please - this is pretty much how it works everywhere, nothing unique to India.

Why do you think lawyers, accountants etc in the corporate world get paid so
much? Do you remember the U.S president saying avoiding federal taxes makes
him smart?

 _the culture which celebrates corruption_

What are you basing this on? There is no question there is rampant corruption,
but saying the culture _celebrates_ it is taking it a bit far

~~~
JumpCrisscross
> _avoiding federal taxes makes him smart?_

I avoid taxes. I contribute to my IRA, donate to charities and deduct my home
office space. What I don’t do is evade taxes by not declaring income.

------
febin
Unfortunately our government doesn't accept the truth. If someone tries to
educate people about the vulnerability, they are labelled anti-national.

~~~
abhiminator
Ironic, considering the fact that protecting the privacy of citizens is in a
nation's interest.

~~~
FroshKiller
I need you to show your work on that one, guy.

------
eklavya
I don't know how many times this will have to be repeated. Aadhar, GST, all
implemented by the worst possible companies in terms of talent. WTF is wrong
here, there are plenty of talented people around. Or just crowdsource it or
give it to the universities to build or something.

~~~
black_puppydog
I want to say that maybe the really talented people / good companies have no
interest in building a central database with such dystopian potential. But
then again... fb, twitter, ...

~~~
throwaway_tvs1
Erm, Google, Microsoft, ... most of SV ?

~~~
black_puppydog
like I said, I really _want_ to say that. Sadly that wouldn't make it true...

------
bufferoverflow
Is this complete incompetence? Why wouldn't they generate these numbers on
some centralized secured servers only for the verified individuals? Why give
away the software that generates them at all? That's like giving away your
signing servers.

~~~
arachnids
That is answered in the article

> B. Regunath, a software architect who led the team at Mindtree that worked
> on the project, said a web-based enrolment software for Aadhaar was not
> practical at the time because many parts of the country had very poor
> Internet connectivity.

Of course, anyone who put id generating software on these laptops with the
expectation that it would somehow remain secret was being extremely foolish.
The system should have been designed taking that into account.

~~~
bufferoverflow
Even then, they could have batched the requests for IDs on the laptop, and
then submitted them daily/weekly by driving the laptop to wherever the
internet is.

And of course, each such laptop must have a unique hardware key that would
sign these requests, so copying the software wouldn't compromise anything.

~~~
cm2187
In a country of the scale of India, if your security relies on no laptop being
compromised, you have no security. One is bound to be lost or stolen (or its
user to accept bribes).

~~~
bufferoverflow
You didn't read my comment well. The security in my scenario doesn't rely on
the laptop not being stolen. There's a hardware key. If it gets stolen, it
gets blacklisted.

~~~
dpacmittal
It will not work in India. The whole problem is that the govt pissed off the
operators and incentivized them to create fake aadhar. He whole investment to
setup aadhar enrollment centre was marketed as a good business which will make
people decent sum of money. But that was a very optimistic approximate.
Reality turned out to be far more different. Almost all operators went into a
loss. To recuperate the losses, they started creating fake aadhar. Money
earned for genuine aadhar is Rs. 20, vs Rs. 500+ for a fake aadhar. It was
stupid for operators to not exploit the opportunity.

In this scenario a hardware key is not going to help. It'll only limit the
ubiquity of the hack, but not much else.

------
lifeisstillgood
If I get it:

India has a biometric database with 1B people on it!

... wow ... just wow ...

And adding new people to it is now compromised by a publically available hack,
although getting 1B biometrics on board must have had an error rate that would
be scary anyway.

The UUID created is needed almost everywhere, like driving license numbers
elsewhere.

How much of the scare is "People can be added once but under incorrect names"
perhaps wiping out criminal pasts? or "people can be added more than once"

The second is surely a search problem?

~~~
lmcm82
Maybe I'm in the wrong here, but I imagine most civilised countries have a
database with biometrics of all of its citizens, at least fingerprints.

~~~
svs
Biometric collection is always for specific purpose. General purpose,
compulsory biometric ids exist only in Malaysia IIRC.

~~~
forapurpose
> Biometric collection is always for specific purpose.

But if you add up all the specific purposes, most/all people are included.

------
regunath_b
I am the guy (Regunath) quoted in this article. I had already vented out at
how one of the journalists approached me with an intent to get a "balanced"
view of the system and ended up writing what he wanted from a pre-determined
agenda. See this :
[https://twitter.com/RegunathB/status/1039411036497956864](https://twitter.com/RegunathB/status/1039411036497956864)

What is not covered in this article is that all data from client (even if
compromised) is validated by a completely different system on the server-side
(any decent system does this and so does Aadhaar) and the client too has
undergone maybe 20 revisions to add features/fix issues - again typical of any
software. The latest version of the client software, I am told, entirely boots
off a secure external storage. Now, older versions might still be i use on the
field. The Enrolment client software has provision to force upgrade the
software and go to the extent of locking up and not allow any new enrolments.
The server counterpart can also check and reject enrolments from previous
versions of client software. All of this was shared to the same reporter and
you can see how much (or how less) of it was actually covered in this fact
finding exercise. Press has the ability to tell the truth or sensationalize,
these guys chose the latter.

------
zaptheimpaler
This is a true story -

I went to a regional passport office to get my Aadhar card about 2 years ago.
I sat in front of a desk with an employee - she was logged in to a website to
that let her upload my picture/biometrics and info into the Aadhar system. The
desk had a post-it 3 feet away from me with the login username/password
written on it.

Since the operators also need to verify biometrically to login, that alone
wouldn't be enough to hack it. But if you think about the general level of
understanding of IT among the public, and probably even the people who wrote
the software, its pretty unsurprising to see it hacked.

Even so, I don't think its really possible for a huge entity like the
government (or even a large company) to learn all the practices around
security/technology without making mistakes and learning under situations with
real consequences. As long as they learn from these mistakes and accept
failure, rather than trying to cover them up, we will get there in time.

------
eklavya
According to the article the database has not been compromised. It's a
compromise of the client which can be used to add new Aadhar entries.

~~~
fellellor
Yeah, that means a lot of false data has been added into the system given how
widely this patched client has been circulated. I don't know what about this
tells you that the database hasn't been compromised?

~~~
eklavya
The first thing that came to my mind when I read the title was that all the
biometrics and all were out. Which would have been much worse and which is not
the case.

~~~
fellellor
This is equally bad, maybe even more so given there is a good chance that a
substantial number of aadhaar accounts are fake. There is, quite simply, no
reasonable defense for this state of affairs.

------
deafcalculus
The biometric scanners probably have big security holes too. In fact, it won't
surprise me if the JTAG is left enabled and anyone can read/write the
firmware!

Aadhaar needs something like TrustRank or a Web Of Trust where identity and
citizenship isn't binary but a continuous number (probability) based on who
and how many vouch for your identity. A lot of citizens, especially in rural
areas, aren't documented very well. It's best to acknowledge that uncertainty
in the system and deal with it.

The public discussion around Aadhaar is very confused. There's hardly anything
wrong with a universal ID for every citizen. There are already several in
India (Driving License, Passport, Voter's ID, PAN card, etc.). The real
privacy issue is around (a) the govt. collecting biometric data, and (b) how
much the govt. / third-party service provider learns about you when you
authenticate your identity using Aadhaar. The UIDAI doesn't even want to
discuss the issue in the open ("trust us, your data is secure. No proof of
hacking whatsoever."), and the use of non-open-source software and closed
biometric hardware is troubling. If biometric scanners are using proper
encryption, who holds the keys? (My guess, the manufacturers have it, and lots
of people who shouldn't have it do have it). What's needed is consensus
building, maybe through a public consultation, about what the majority of
people are willing to disclose to the govt. Biometric isn't an absolute
necessity for Aadhaar to achieve it's stated goals. That said, recent polls
show that the percentage of Indians who trust their govt. is way higher than
in the west, so the govt. can probably get what it wants while playing nice.

There's also very little discussion about how secure the biometrics are.
There's no info about what services are considered sensitive and need more
than a fingerprint. Fingerprints maybe fine for 5 years, but I have a hard
time believing they'll be constant enough for secure identity verification
over 80 years. What happens when biometric fails and a significant chunk of
the populace can't sign, don't remember their date-of-birth or any password,
or even their full name? Again, something like a web of trust would've been
helpful.

------
thisisit
I like how tough topics in India are discussed - everything is tied back to
the central government. Either you a nationalist supporting the central
government or you are a self proclaimed anti-nationalist who dislikes the
current government and their agenda.

One of the things people need to realize is this is a bigger bureaucratic
problem. It has nothing to do with current or previous government. Previous
government pushed this through because it was in their agenda and the current
government cried foul. Now the tables have turned.

What this tells me is that there are lot of private interests which are
playing a huge role in Indian governance, irrespective of the government. And
we as a people getting into petty fights about the nationalist/anti-
nationalist debate are losing sight of the target.

------
wtmt
[Note: I'm anti-Aadhaar, as documented in my profile. My comments below may
sound harsh because of that. Also please note that Aadhaar is a resident
number, and has nothing to do with citizenship.]

Fantastic work! One of the authors of this investigative piece, Rachna Khaira,
was key in exposing a major issue with the "last mile" software and how
cheaply (just Rs.500/about USD 7) and easily someone could get the Aadhaar and
demographic details of almost any resident in the country who's enrolled in
the system. [1] UIDAI's response for her investigation was to file an FIR
(First Information Report/police complaint) against her in an attempt to put
her behind bars. [2]

Activists have always argued that the lack of transparency and information
could mean that there are many "ghosts" (or bogus enrollments) in the Aadhaar
system (which claims that it cannot have "ghosts", ignoring technological as
well as biometric limitations). Now there's no saying how many of the 1.1
billion entries in the Aadhaar system are bogus. As the article states,
private agencies were used to handle the enrollment and capture of biometrics
and recording of demographic information. All these agencies were paid on a
per-enrollment basis. Guess what incentives they would have in a country with
high levels of corruption at many levels? I'm certain that a bulk of the
enrollments that have been issued Aadhaar numbers are bogus.

While activists may feel vindicated that more and more holes are being exposed
in the Aadhaar system (while UIDAI continues to always remain in denial mode),
it's sad that hundreds of millions of people have been left vulnerable by this
poorly designed and poorly implemented system.

> B. Regunath, a software architect who led the team at Mindtree that worked
> on the project, said a web-based enrolment software for Aadhaar was not
> practical at the time because many parts of the country had very poor
> Internet connectivity.

> "People were cranking up generators just to light up power and do the
> enrolment. How can they do an online upload of those packets?" asked
> Regunath, who has since moved to a senior technical position at Flipkart.

What utter nonsense!!! I can't imagine someone calling themselves a software
architect being so gullible and ignorant. The entire Aadhaar system is
dependent on Internet access and connectivity. Post issuance, the
authentication of anyone through biometrics needs real time Internet
connectivity. There's no way around that (even where an OTP is generated, the
initiation of the OTP sent over SMS by UIDAI has to happen by connecting to
UIDAI's web based APIs). Even as recent as last year, people in some places
were forced to climb trees because they couldn't get a good cellular signal
and Internet connectivity. They were forced to do this because the central
government pushed this system as a prerequisites for getting subsidized food
(through what's called PDS or Public Distribution System). [3] UIDAI also had
Windows XP as a recommended OS for these enrollment agencies. [4]

> In 2017, the UIDAI said it had blacklisted 49,000 enrolment centres for
> various violations.

The _sheer hypocrisy and audacity of UIDAI_ here is that it has blacklisted
all these agencies for violations without any legal action. From the time
Aadhaar started in 2009/2010, this number averaged to about two agencies
blacklisted every hour! But point out some security issue or a gap? You'll be
facing a court case!

_____

This whole system has been patchworks of patchworks of patchworks,
continuously in denial mode when experts ask questions on security, audit,
privacy, etc. I would prefer that it be completely thrown out, like how UK did
with its national ID program several years ago. India doesn't need such
enemies from within that/who make it easier for hostile entities/groups to
disrupt or decimate the country! UIDAI needs to be shutdown as well, since
nobody in-charge of the organization has shown technical or critical thinking
ability, or has had the humility to face questions without getting into
continuous denial.

 _The verdict in the petitions against Aadhaar is pending from the Supreme
Court. I hope the verdict comes to save all the residents of India, and to
save the country itself._

[1]:
[https://www.tribuneindia.com/news/nation/rs-500-10-minutes-a...](https://www.tribuneindia.com/news/nation/rs-500-10-minutes-
and-you-have-access-to-billion-aadhaar-details/523361.html)

[2]: [https://www.firstpost.com/india/uidai-files-fir-against-
the-...](https://www.firstpost.com/india/uidai-files-fir-against-the-tribune-
reporter-rachna-khaira-for-aadhaar-data-breach-story-4291109.html)

[3]: [https://timesofindia.indiatimes.com/india/need-internet-
to-b...](https://timesofindia.indiatimes.com/india/need-internet-to-buy-pds-
rations-go-climb-a-tree/articleshow/57437975.cms)

[4]:
[https://www.voltairenet.org/IMG/pdf/module3b_installation_co...](https://www.voltairenet.org/IMG/pdf/module3b_installation_configuration_of_aadhaar_enrolment_client_17122012.pdf)

------
known
Govt should recover $1 Billion from Nilekani

~~~
iamshs
Absolutely. That man should be behind bars for designing this atrocious
system.

------
blazespin
¯\\_(ツ)_/¯ I wish I could express some kind of outrage, really, I do. This
should be awful and undermines what I believe a sincere attempt to make India
a better place. But really, what could they or anyone possibly expect?

------
leni536
Off topic: I simply can't find how to opt out of tracking on HuffPost. I get a
GDPR popup and the opting out path leads endless cycles (with occasional
captcha solving).

~~~
severine
Works for me, don't know if my savior is uBlock Origin, uMatrix, or I Don't
Care About Cookies...

[https://github.com/gorhill/uBlock](https://github.com/gorhill/uBlock)

[https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix)

[https://www.i-dont-care-about-cookies.eu/](https://www.i-dont-care-about-
cookies.eu/)

------
gammateam
its kind of weird that they call the vulnerability itself "a patch"

I can be pedantic too and can see how there isn't really a distinction between
an exploit and a patch as they both modify the software, but thats a weird
colloquialism right?

~~~
fellellor
It sounds to me like a game crack which are basically patches since they make
the software concerned more user friendly.

------
person_of_color
Sad face :(

------
vishaltelangre
It is hard to believe by relying on just one source. I just checked other news
sources in India, and no one has any news about any recent Aadhaar breach.

~~~
bhanu423
Kindly understand this article seems to come out of investigative journalism
where the author seemed to have gotten hold of the patch presumably by paying
2500 and then did in-person research to create the article. Once published,
other newsrooms usually do their own pieces if they find it relevant. Since
this article has just been published (only 2 hours ago at the time of writing
this comment), I wouldn't refute the article just on the basis of this
criteria. I would usually wait for 1-2 days before using the above criterion
to evaluate the article.

~~~
vishaltelangre
You've actually reworded what I have already said. Since there is no official
statement from UIDAI or multiple private news sources reporting the same
incidence; this article/blog is not worth believing yet.

~~~
talonx
On the contrary. This was _investigated_ by a reporter(s) from the mentioned
source and published. Other news publications need to verify it independently
before publishing it themselves.

And on the "official statements" part, it's kind of naive to expect that they
(UIDAI) would put out any statement given that in the past they have

\- Not acknowledged security issues or made any efforts to do their own
investigation in spite of the numerous reports

\- Turned hostile towards entities who have exposed or reported weaknesses
instead of rewarding them and plugging the loopholes

