UIDAI refutes report on Aadhaar software hacking

New Delhi: The Unique Identification Authority of India (UIDAI) on Tuesday dismissed reports of the Aadhaar Enrolment Software being hacked, and said the news was “completely incorrect and irresponsible.” UIDAI added that it has taken full measures to ensure end-to-end security of resident data and no operator can make or update Aadhaar unless the resident himself/herself gives his/her biometric.

The clarification came after a report from a media outlet stated that the Aadhaar database, which contains the biometrics and personal information of over one billion Indians, had been hacked by a software patch which reportedly disables critical security features.

In a statement, the UIDAI said that the claims lack substance and are baseless, adding that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted.

“Claims made in the report about Aadhaar being vulnerable to tampering leading to ghost entries in Aadhaar database by purportedly bypassing operators’ biometric authentication to generate multiple Aadhaar cards is totally baseless. The report itself accepts that ‘it (patch) doesn’t seek to access information stored in the Aadhaar database’. Its further claim ‘to introduce information’ into Aadhaar database is completely unfounded as UIDAI matches all the biometric (10 fingerprints and both iris) of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing an Aadhaar,” the UIDAI clarified.

The Aadhaar governing body underscored that it has taken all necessary measures spanning from providing standardised software that encrypts data before saving to any disk, protecting data using tamper proofing, identifying every one of the operators in “every” enrolment, identifying every one of the thousands of machines using a unique machine registration process, which ensures every encrypted packet is tracked.

The UIDAI further stated that it has taken full measures to ensure end-to-end security of resident data, spanning from full encryption of resident data at the time of capture, tamper resistance, physical security, access control, network security, stringent audit mechanism, 24×7 security and fraud management system monitoring, and measures such as data partitioning and data encryption within UIDAI controlled data centres.

UIDAI further clarified that no operator can make or update Aadhaar unless the resident himself/herself gives his/her biometric. Any enrolment or update request is processed only after biometrics of the operator is authenticated and resident’s biometrics is de-duplicated at the backend of UIDAI system.

Clarifying that it always checked the enrolment operator’s biometric and other parameters before processing of the enrolment or updates, as part of the Aadhaar body’s stringent enrolment and updation process, the UIDAI said that only after all checks are found to be successful, enrolment or update of the resident is further processed. “Therefore, it is not possible to introduce ghost entries into the Aadhaar database,” the UIDAI said.

It added that even in a hypothetical situation whereby some manipulative attempt, essential parameters such as operator’s biometrics or resident’s biometrics are not captured, blurred and such a ghost enrolment/update packet is sent to UIDAI, the same is identified by the robust backend system of UIDAI, and all such enrolment packets get rejected and no Aadhaar is generated. Also, the concerned enrolment machines and the operators are identified, blocked and blacklisted permanently from the UIDAI system.

The Aadhaar body said that in appropriate cases, police complaints are also filed for such fraudulent attempts. It added that similar allegations were also made before the Supreme Court during hearing of the Aadhaar case before the Constitution Bench which were then adequately responded by the UIDAI in the apex court.

The UIDAI reiterated that the reported claim of “anybody is able to create an entry into Aadhaar database, then the person can create multiple Aadhaar cards” is completely false. Some of the checks include biometric check of operator, validity of operator, enrolment machine, enrolment agency, registrar which are verified at UIDAI’s backend system before further processing is done.

In cases where any of the checks fail, the enrolment request gets rejected and, therefore, any claim of creating multiple Aadhaar and compromising the database is false. If an operator is found violating UIDAI’s strict enrolment and update processes or if one indulges in any type of fraudulent or corrupt practices, UIDAI blocks and blacklists them and imposes financial penalty up to Rs. 1 lakh per instance. It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI said.

The Aadhaar governing body further said that it keeps adding new security features in its system as required from time-to-time to thwart new security threats by unscrupulous elements.
UIDAI has advised people to approach only the authorised Aadhaar enrolment centres in bank branches, post offices and Government offices for their enrolment/updation so that their enrolment/updation is done only on authorised machines and their efforts do not get wasted because of rejection of their enrolments or updates.