Aadhaar enrollment software being illegally distributed with biometric safeguards disabled
The Aadhaar program’s ECMP enrollment software is being distributed illegally for 500 to 2,000 rupees (US$7.50 to $30) in the latest data privacy headache for the Unique Identification Authority of India (UIDAI), Asia Times reports.
The software protects data by verifying the biometrics of the authorized operator and checking the geo-location of the device it is being used on, but the Times says WhatsApp messages it has seen and complaints to the UIDAI indicating the safeguards are being bypassed.
“(The) Aadhaar Enrolment client can be installed on any laptop and is available for public download. It needs to be configured for use by a registrar by importing registrar data and user credentials of the registrar,” one of two information security professionals who examined the illegal software for the Times said. The illegal version is patched to bypass the biometric and GPS modules of the software, and comes preconfigured with credentials from different registrars.
Enrollment operator Bharat Bhushan Gupta of Punjab state emailed UIDAI in February to warn the authority of the illegal software, but after his warnings were acknowledged he received no further communication on the matter.
The UIDAI has acknowledged receiving security alerts, but has yet to issue a statement, leading to speculation that the problem is ongoing, the Times says. Enrollment issues have been among the problems dogging India’s ambitious universal identity scheme, and the UIDAI blacklisted nearly 50,000 private operators in 2017 before shutting down its network of common service centers providing enrollment in rural locations earlier this year. The enrollment process was shifted largely to bank branches and post offices.
The Times also reports that the UIDAI does not have a responsible disclosure program, and is hostile to operators and journalists reporting potential Aadhaar security problems.
The entire Aadhaar program and various processes associated with it are still before India’s top court, and the deadline to link the ID number to tax records was recently extended to the end of June.