Token security or tokenized security?
Those who were reassured that the Aadhaar architecture is safe and secure have faced a few rude shocks lately. First, there was the recent report in The Tribune on how one of its reporters was easily able to log in to the Aadhaar website and access any enrolled Indian’s personal information, all for a grand fee of Rs500. While the veracity of this report is still being contested by the Unique Identification Authority of India (UIDAI), it has stirred panic over the security of personal data entrusted to the government. This came close on the heels of reports last month that a telecom company was utilizing the eKYC (know your customer) data of its mobile subscribers to open payment bank accounts without their consent.
These two instances highlight scenarios where data from the Aadhaar database is vulnerable. In the first, the weaknesses in security measures and processes around the database leave information susceptible to an attack. In the second, providing third-party entities loosely regulated access to an individual’s data leaves scope for abuse.
There is a need to protect the data belonging to individuals in these situations, providing the government with two possible policy options: it can choose to either overhaul the Aadhaar architecture completely, or it can build in additional security measures to ensure that individual data is not compromised.
Uninventing Aadhaar is not a practical proposal. It would have to include repealing the statute on Aadhaar, disbanding the database already created, and figuring out alternative means of delivering the services that are now dependent on Aadhaar. A more sustainable way forward is to better secure Aadhaar. This will involve not only the secure collection and storage of personal data, but also a safe regulation of the manner in which third parties use it for authentication.
One way to protect Aadhaar-related communications is to channel them through a secure conduit. This can be achieved through a system of temporary tokens for Aadhaar-based verifications. Sunil Abraham from the Centre for Internet and Society (CIS) has recommended a system of using dummy or virtual Aadhaar numbers along with a smart card to protect information belonging to individuals.
Tokenization is the process of masking sensitive personal data with another innocuous dataset, allowing it to be shared with third parties without the risk of the personal data being exposed. So, every time a service provider asks for identification, the individual can provide a one-time-ID number generated by an Aadhaar app or on UIDAI’s website. The service provider can authenticate the one-time-ID number with the Aadhaar database, without needing to know or store the Aadhaar number. The algorithm used to generate the one-time-ID number must be constructed using hard-to-replicate information and kept a well-guarded secret. No two service providers will have the same one-time ID, making it harder for personal profiles to be constructed by mining data from multiple service providers, thus enabling a higher level of privacy protection.
Allowing such a system of tokenization for every eKYC can create a welcome layer of ambiguity around individuals’ personal data and preserve the individuals’ Aadhaar-related information with the government. This system also breaks the link between the Aadhaar database and any third party having access to an individual’s Aadhaar number. If this link is not broken, then any entity—government or private—would have access to potentially millions of Aadhaar card numbers, opening endless possibilities for data abuse.
The tokenization process allows the authority to arrest any attempts at data abuse. In fact, to make this system of tokens or one-time-ID numbers effective, the law must build in measures to penalize any attempt to recreate an individual’s Aadhaar number from the unique token number. In other words, the service provider is given a token number for authentication, but prohibited from obtaining the Aadhaar number it corresponds to.
Tokenization is an improvement over the status quo, but only in one aspect—making Aadhaar secure. It is imperative that the government pays equal attention to the manner in which all data is collected, stored and disposed of by the authority. There are two facets to be explored here: first, ensuring secure storage of the vast information database, and second, plugging security loopholes that happen at collection by limiting access to the database.
The adoption of appropriate technical safeguards is indispensable to thwart external threats to the Aadhaar database, such as ransomware attacks. Having appropriate security, and having periodic audits to test the adequacy of such security, is indispensable.
Equally, limiting access to the database is crucial for preventing leaks, such as the ones reported in The Tribune. It is important that only a select few individuals have access to the database and that these personnel are properly vetted before being vested with such responsibility.
These various facets of the Aadhaar ecosystem are likely to be further examined in the public in the weeks to come as the Supreme Court gears up to hear the petitions on Aadhaar. Regardless of the verdict, there is an urgent need to improve the safety of the Aadhaar ecosystem and the use of tokenization goes some way towards achieving this objective.
Manasa Venkataraman and Ajay Patri are researchers at the Takshashila Institution, an independent, non-partisan think tank and school of public policy.