Indian authorities issue conflicting advice about biometric ID card security

The Unique Identification Authority of India (UIDAI) has backtracked on advice about how best to secure the “Aadhaar” national identity cards that enable access to a range of government and financial serivces.

UIDAI promotes the cards as “a single source offline/online identity verification” for tasks ranging from passport applications, accessing social welfare schemes, opening a bank account, dispersing pensions, filing taxes or buying insurance.

Although Bill Gates has lauded Aadhaar cards for improving access to services, the scheme has been the subject of many security-related scares as inappropriate access to personal information has sometimes been possible, UIDAI’s infosec has sometimes been lax, and the biometrics captured to create citizens’ records have sometimes been used for multiple individuals. Privacy concerns have also been raised over whether biometric data is properly secured stored and secured, if surveillance of individuals is made possible through Aadhaar, and and possible data mining of the schemes’ massive data store.

UIDAI did not help assuage such fears last Friday, when its Bengaluru office issued that card-holders should not share photocopies of their Aadhaar card because it could be “misused.” Copies of cards were sometimes required when checking into hotels.

The organisation advised users instead to use a “masked version” of the card that only displayed the last four digits of the holder’s identity number. UIDAI also warned against erroneously leaving copies of an Aadhaar on public computers, like at a café or kiosk, or giving away information to organizations that are not licensed to use Aadhaar as a credential.

That advice did not go down well as users recalled the many occasions on which they had provided a copy of their Aadhaar cards.

UIDAI has previously advised, in an FAQ that “no Aadhaar holder has suffered any financial or other loss or identity theft on account of any said misuse or attempted impersonation of Aadhaar.” The document was likened to a mobile phone number or bank account number, something that requires “ordinary protection” to secure privacy.

By Sunday, UIDAI issued a clarification that the warning was issued in the context of potential photoshopping of an Aadhaar card and that due to misinterpretation, the organization was withdrawing the advisory issued from Bengalurus.

“UIDAI issued Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers,” said UIDAI in a canned statement before describing the technology’s ecosystem as having “adequate features for protecting and safeguarding the identity and privacy” of the user.

That advice, and the fact that an altered card would not change the centrally-stored ID info in the Aadhaar database, seems to have satisfied many. But UIDAI has not clarified how photoshopping an Aaadhaar card would create a risk. The Register fancies replacing the photograph on the card could make it a handy fake ID – hardly worth the panic of recommending against an established practice. ®

READ MORE HERE