Minister says Aadhaar could withstand a billion hack attempts, as UIDAI clarifies audit rules

Jul 16, 2018, 12:37 pm EDT | Chris Burt

Categories Biometrics News | Civil / National ID

The Unique Identification Authority of India (UIDAI) has opened up Aadhaar auditing to allow banks and telecommunications providers to use any information security auditor certified by the Indian Computer Emergency Response Team (CERT-IN), The Hindu reports. Previously, all Aadhaar authentication ecosystem partners were required to contract Deloitte Touche Tohmatsu, as the sole recognized Information Security Assessment Agency.

Requesting entities and Authentication Service Agencies (ASAs) are required by the Aadhaar Act to submit annual audits, but banks had complained that the UIDAI rules had created a monopoly, and that the Rs. 194,700 (roughly US$2,800) is too high. In response, the UIDAI emailed stakeholders on May 31 to “clarify” that in addition to the auditor it had empaneled (Deloitte), companies can engage a CERT-IN empaneled auditor.

“UIDAI reiterated that all requesting entities and ASAs shall ensure that their operations and systems are audited by information systems auditor certified by some recognised body on an annual basis be it a UIDAI-empanelled or any CERT-IN-empanelled information system auditor,” the UIDAI explained in a statement (PDF).

It is not clear whether the eligibility of auditors certified by the CERT-IN agency, which is part of the Ministry of Electronics and Information Technology, had previously been communicated.

Minister lauds Aadhaar

Aadhaar data is so secure it “cannot be broken into even with (one) billion efforts,” Union Minister of Information Technology Ravi Shankar Prasad told an audience at a public function in Panaji, according to The Tribune.

Prasad said that Aadhaar is now processing 10 million authentications every second, and that it is now linked to 800 million bank accounts. He emphasized that disclosure of fingerprint or iris data to third parties for reasons other than national security is illegal, and said that the program is part of India’s digital transformation. He estimated that the nation of 1.3 billion has about 1.21 billion mobile phones, 450 million smartphones, 500 million internet connections, and 1.22 billion Aadhaar numbers.

He also said that after missing out on the industrial revolution and the entrepreneurial revolution because of regressive domestic policies, and that the Digital India agenda could increase inclusion in the country.

“That is the transformative nature of Digital India, Skill India, Startup India, Smart Cities. It is all technology-based programming designed to empower ordinary Indians to reform, perform and transform,” said Prasad.

Aadhaar rules have required regular clarification from UIDAI, as in the recent statement that its database cannot be used for criminal investigations by police. A ruling is expected soon from India’s Supreme Court on the constitutional validity of the program and various elements of it.