Is Aadhar (or IndiaStack) Really a Game Changer?
IndiaStack is a bunch of initiatives started by the government to provide service based APIs (web addresses that can be used to send or request data to and from the government) and is based around the flagship Aadhaar (biometric verified unique identification) project.
If you are not a technology person, a way to understand APIs is to imagine that instead of going to a government office and standing in a queue to fill out a form, you can directly send the information in a formatted manner to a web-address, like, mygov.in/api/accept_driving_license_request. You would not have to format the information yourself, there would be applications that would take in the information in a human friendly manner and format it in a way the API wanted.
The added layer Aadhaar added was that you would verify yourself using your biometrics.
In theory, you can use these APIs outside government too. For example, to provide services where you need the party involved to be verified, like payments, opening of bank accounts, mobile numbers.
The key motivation for Aadhaar though was to correctly identify a beneficiary of a government welfare program so that the services allocated to the beneficiaries was not stolen by middlemen.
At some point, this program took on a completely new direction. In a bid to impress foreign influencers and donors, Indian technocrats started projecting Aadhaar as a game changer. Suddenly Aadhaar was projected to be the solution to all of India’s problem, not just the targeted problem of identifying beneficiaries of government schemes.
This messaging got some traction, and to be fair, it did seem intriguing, and something that had not been done anywhere in the world before. Suddenly the nation’s pride was associated with the success of Aadhaar. Aadhaar became the vehicle that would leapfrog India past the developed nations into the 21st century.
The whole system was rolled out by outsourcing the user facing activities to third parties. This made sure that the risk of execution was passed on to the third parties and the government did not need to invest in the equipment, technology and people needed to roll out such an ambitious program.
This seemed like a really smart move. In astonishing speed, almost one billion people were enrolled and a unique ID was given to each of them.
The success of this model, prompted the architects behind Aadhaar to push this model for all the services. So when the facility to authenticate someone’s biometrics was introduced, it was through third party devices that used third party platforms to send the biometric signature.
Even for other such initiatives, like the introduction of the Goods and Services Tax (GST), the system is designed in a way so that the third party service providers act as a proxy for the government system. This creates a new “middleman” for the government, and even though it is early days, it seems that these service providers will allow the general public to use these APIs only at a cost.
The Real Problem
The third party devices and services that carry out the process, pose a serious privacy and security risk. If someone setup a service to deliver food subsidy with Aadhar authentication, and if they wanted to cheat, all they needed was to give out the food subsidy just one time and save all the biometric signatures. The next time, they could just use the saved biometric signatures to steal all the subsidy for themselves.
The only true way of fixing this is by auditing the process with random checks on the public distribution system. But this can also be done without the Aadhar system. (Incidentally, this was also the problem with the government’s other big game changing initiative, the demonetization program. The way to stop under-reporting of income was to improve the enforcement, not change the currency notes!)
If you feel that third-parties are very safe at handling your data, just look at how many times passwords are leaked on internet platforms, in spite of them hiring the best talent in the world. Even the company that was designed to protect you from such attacks, could not prevent itself from leaking tons of private messages (Cloudbleed).
By inviting so many third party handlers, the architects of Aadhaar not only exposed the users to companies with bad intentions, but also a range of attackers who now have so ways of getting their hands on private data.
Just like a Credit Card
One way to understand Aadhaar from a security point-of-view is to think of at it as a credit card. A credit card is unique, linked to a person (identity), hard to duplicate and goes via third parties. The credit card ecosystem is protected by strong fraud prevention mechanisms, which is possible because they are used for very specific purposes. Every time a doubtful transaction happens, your bank will usually call you to re-verify if you were the one doing the transaction. Also there are ways to challenge a particular transaction if you suspect you have not made it.
In India, 2-factor authentication (verification by two different methods or parties) is mandatory for credit cards. Likewise it should also become mandatory for using Aadhaar too. Till Aadhaar has the right mechanisms to fight fraud, its use should be tightly controlled.
There is No Silver Bullet
While Aadhar is a great tool for making government more efficient, it is not a silver bullet for hard problems like corruption. There is no doubt that most government process should move to automated systems, and having the ability to uniquely identify a person across systems is a great thing. But the biometrics should only be used for de-duplication, not as authentication.
A much better way of authentication is using the person’s mobile phone to send a one-time-password. Passwords, unlike biometrics can be changed, and even in the case, they are leaked, one-time-passwords are completely useless. A biometric signature leaked once can be used as many times as a person wants.
By projecting Aadhaar as a solution that will make India leapfrog in the 21st century, its advocates are doing a great injustice. And no matter how hard the evangelists try, their attempts are only creating more confusion and bringing discredit to it.
The goal of taking India on par with developed nations is a noble one, but one must also be honest about the challenges involved. Insufficient physical infrastructure, lack of world class companies, lack of genuine philanthropy, corruption, lack of education are the real problems that will help India grow.
Authentication is only a small part of the problem. Pinning so much hope on just one solution is not such a good strategy.