Market regulator Sebi today said investors can use ‘Aadhaar’ cards as a valid address proof for their accounts with brokerage firms, mutual funds, portfolio managers and other capital market entities. [It] is already permitted as a valid identity proof document in the capital market.[From Aadhaar OK as investor ID proof: Sebi]
Obviously, for this identification scheme to be of most use to business, there must be a way for banks to validate the identification numbers that are presented by customers. This process is going to be automated.
The Unique Identification Authority of India (UIDAI) is creating software that will interface between banks and the Aadhaar portal so that banks can directly access Aadhaar details.[From Banks to get Aadhaar data – The Times of India]
Given the intimate relationship between social and financial inclusion, one of the most important effects of “identity inclusion” is that the financially-excluded are now given an hand on to the first steps of the financial inclusion “ladder”. It is wrong to think of this first step as a bank account as we so often do in Europe. (indeed, the European Commission are proposing to legislate on the right to a bank account even as I write) because for a great many unbanked people, or for that matter, overbanked people, the first step is a simple prepaid transaction account. India is already taking the obvious next step to integrate identity and money infrastructures by providing just such transaction accounts that can be linked with the Aadhaar scheme.
The pre-paid card, the first in the country based on Aadhaar, will be available in the National Capital Region (NCR) and will work like a mobile pre-paid card that can be topped up in the identified banks [SBI, ICICI, Axis, HDFC, Indian Overseas Bank enabling] any resident with an Aadhaar number to walk into the identified 100 outlets by these banks and open a prepaid account with a card.[From Soon, get prepaid cards for bank account based on Aadhaar number – Economic Times]
Now, there is of course are risks in system that uses a single centralised database in this way. In the fake fingerprint example given above, the risk is that you can pretend to be someone else. But there’s a much bigger risk. Once you can get a fake entry into the database then you are “behind the wire” so to speak, and your fake identity will never be challenged. This has already happened in the Indian system.
Some have managed to beat the so-called unbeatable Unique Identification (UID) system and got fake Aadhaar numbers generated raising security concerns over UPA’s new UID based governance model.[From UIDAI cancels 3.84 lakh fake Aadhaar numbers – Hindustan Times]
There are a variety of ways to get on to the database fraudulently but one mechanism that seems to have been exploited right from the beginning is the exception handling. Given any system of this scale, the human factor must come in to play. Since it is not possible to register everyone through the normal channel (e.g., disabled people without fingerprints, people in the witness protection programme, spies and so on) there must be exception channels and these become an attack vector.
Delhi government officials have detected a large number of fraudulent enrolments in the first phase of Aadhaar that ended in February after registering 1.3 crore people in the city. Officials in the Unique Identification Authority of India (UIDAI) said on Monday many people got themselves enrolled without providing their biometric identification. The “biometric exception” clause is essentially meant for rarest-of-the-rare cases, say, for people with high degree of physical disabilities, they said.[From Fake enrolments in Aadhaar Phase-I spark security fear]
This sort of thing is inevitable in such a scheme. But there’s another problem with centralisation: it creates a “honeypot” for personal data. And, again, the theft of this data is hardly a hypothetical.
Biometric information from over 14 lakh people has gone missing. This could lead to vital data falling into criminal hands.[From Biometric information of 14 lakh Aadhar applicants goes missing : Postnoon]
It’s not for me to say whether the benefits of the Aadhar outweigh the risks, since I genuinely do not know. But what I would day is that this architecture is not right for the UK or the USA. The better architecture is to have very strong authentication against a revocable token (e.g., a smartphone) and use different biometrics in the central database purely for the purposes of eliminating duplicates. The central database is there to ensure unique identities, but the transactional authentication is against the token. Without going into all of the reasons why (OK, here’s one: undercover police officers must be able to have two tokens, one for their police identity and one for their undercover identity), the more decentralised option provides simultaneously more security and more privacy. When the UK comes (as it inevitably will) to require some kind of “entitlement card”, then I hope that it chooses that option.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers