TECH
28/09/2018 10:37 AM IST | Updated 28/09/2018 1:50 PM IST

Aadhaar Jugaad: How the UIDAI's Army of Digital Touts Turned Into A Security Nightmare

Lakhs of untrained, poorly supervised people helped create the world’s largest biometric database. What happened when this access was taken away from them?

Mansi Thapliyal / Reuters
Authorised Aadhaar-enrolment operators used to be the most visible sign of India’s quest to capture the fingerprints, iris scans and personal details of over a billion citizens into a vast, centralised database.

JALANDHAR, Punjab — On Wednesday, hours after the Supreme Court upheld the constitutionality of Aadhaar, India's controversial biometric identity project, WhatsApp groups populated by hundreds of young men sitting in rickety computer kiosks installed in villages, cities and hamlets across the country were abuzz with activity.

A year ago, these men with their battered laptops, matchbox-sized biometric scanners and GPS dongles, were authorised Aadhaar-enrolment operators—the most visible sign of India's quest to capture the fingerprints, iris scans and personal details of over a billion citizens into a vast, centralised database. Some worked for private enrolment companies, others had set themselves up as "village-level entrepreneurs" (VLEs) under a government scheme.

By February 2017, over 628,000 people from across the country had signed up as certified Aadhaar operators and supervisors. So when the Unique Identification Authority of India (UIDAI)—the agency overseeing Aadhaar—barred private operators from the Aadhaar enrolment process, hundreds of thousands of them were left jobless and on the brink of poverty.

Today, these operators who have a rudimentary formal education but an instinctive grasp of the Aadhaar ecosystem, have turned into the system's Achilles' heel by participating in a thriving grey market to enrol new users without verifying supporting documents, to update user information without authorisation, and to extract reams of sensitive information despite the UIDAI's ardent claims to the contrary.

As a consequence, the UIDAI has created a security nightmare by giving hundreds of thousands of poorly supervised private individuals access to the world's largest biometric database, and then robbing them of their employment overnight.

These unemployed operators have used WhatsApp to organise themselves into thousands of messaging groups, creating a swarm of well-networked digital touts eking out a living by charging a minor fee to navigate Aadhaar's increasingly unwieldy bureaucracy.

In the process, they have revealed glaring weaknesses of India's digital infrastructure, particularly Aadhaar.

Earlier this month, HuffPost Indiareported on how many of these operators were using a malicious software patch to find their way into the Aadhaar framework they had ostensibly been barred from. Earlier this year, this reporter wrote of how personal information from the Aadhaar database was being sold for as little as Rs 500.

SCREENSHOT

'A Stable Source Of Income'

Ram Lal became an enrolment operator in 2016, when a road-widening project in Punjab's Sangrur district uprooted the small cell phone and downloading shop he ran on the highway just outside Khanauli village.

Lal was 37 years old at the time, and with few prospects of employment.

"It was the most difficult time for me," said Lal, who dropped out of school in Class 10. "I was unable to pay school fees for my two children. We were reduced to eating one meal a day."

There are few jobs to be had in Khanauli, where the local economy is still almost entirely supported by farming. So when Lal heard that the local Common Services Centre (CSC) had openings for Aadhaar enrolment operators, he paid Rs 12,500 to the local district manager to sign up as a VLE. CSCs are a network of village computer centres to help rural residents access e-governance services such as pensions, student scholarships and ration cards, for a minor transaction fee paid to the VLEs who run them.

At the time Lal signed up, CSCs had emerged as an important node for Aadhaar enrolment. Till date, CSCs have enrolled close to 190 million Indians into the Aadhaar framework, making them the single largest contributor to the scheme. As of 2015-16, the most recent data published by the government, printing Aadhaar cards accounted for the largest number of CSC transactions. As per an agreement with the UIDAI, enrolment operators would be paid Rs 50 for every successful Aadhaar enrolment.

For Lal, running an Aadhaar enrolment centre seemed like a stable source of income.

To make this happen, he took a loan, and sold his wife's ornaments to buy the biometric devices needed for Aadhaar enrolment. "As I was unable to buy new machines, the district manager bought me old ones for Rs 59,000," he said.

Lal was not alone. The millions of jobs promised by the Narendra Modi government never materialised, and in an economy where youth unemployment is running at 16%, and 82% of men and 92% of women earn less than Rs 10,000 a month, the role of an Aadhaar operator carried a faint patina of white-collar work, and the gloss of the prime minister's frequent invocations of the promise of "Digital India".

"Many of these youths who have studied up to the senior secondary level dipped into their family savings of up to Rs 3 lakh to set up computer kiosks to offer e-governance services to the common citizens," said Ravneet Singh, former district manager for CSC in Sangrur.

The costs include the biometric devices to capture biometrics and iris scan, the computer, printer, hiring an assistant and paying rent for the shop. Start-up costs often include bribes of up to Rs 50,000 to the enrolment agencies to get their enrolment credentials activated out of turn.

In 2017, a year after Lal set up his shop, the UIDAI terminated Aadhaar services at CSCs, and his life was upended once again. Under pressure for faulty enrolments, data leakage and a lax approach to security, the authority turned the most vulnerable links in its data-chain into scapegoats by pinning the blame for all the system's flaws—structural problems, human error, and poor planning—on the enrolment operators.

The authority mandated that all enrolments move to government premises and banks, terminated all private enrolment agencies and discontinued its contract with CSCs. Lal was jobless once again.

"People used to stand in long queues since morning," Lal said, recalling the heyday of Aadhaar enrolments, when the government sought to make an Aadhaar number mandatory for accessing practically every public and private service. "However, the place got deserted soon after the service was taken away from us. The footfall now is restricted to only 4-5 people on a single day."

"I ran from pillar to post for the next six months to get myself enrolled as an Aadhaar operator in a bank or a post office," he said. "But the local agents demanded around Rs 50,000 to get me a place in any of the government premises. I could not pay."

The family survived on the pension of his father, who retired as a driver from Punjab Roadways, while Lal's computer, printer and biometric reader gathered dust, the interest payments on his loans piled up.

Bypassing UIDAI's Security

The only qualification to become an Aadhaar enrolment operator is to be above the age of 18, and to have an Aadhaar number. Candidates are expected to have passed their Class 12 examinations, but HuffPost India interviewed a number of enrolment operators who had dropped out of school much earlier.

Operators are not required to go through any police verification, and merely have to sit through perfunctory training. The operators were made to clear a customary exam to activate their credentials and each operator is assigned to a particular computer registered by the UIDAI.

The enrolment software has a rudimentary security feature where it checks the operator's physical fingerprints against a copy of their prints stored on the computer to ensure that only authorised operators can use the system.

"We were promised a commission of Rs 50 on every successful generation of new Aadhaar number," said Srikant Singh, a Varanasi-based enrolment operator and secretary of the Jan Sewa Sanchalak Samiti, which runs CSCs in Uttar Pradesh. "While we enrolled hundreds of citizens every day, majority of us used to get only Rs 3,000-6,000 monthly,"

A review of police FIRs and press reports suggests that many enrolment centres came up with ingenious ways to enrol as many people as possible. One of the earliest instances of enrolment fraud came to light in 2012 when the Andhra Pradesh police and UIDAI found that a 22-year-old enrolment operator had enrolled 30,000 people in six months from 20 different centres in Hyderabad's old city—suggesting he had farmed out his operator credentials.

In subsequent years, security breaches of this sort became so routine that they often stayed on the city pages of local newspaper editions. In one well-known method, operators were found to be using synthetically created "fake fingers" to spoof biometric readers, until a freely available malicious software patch made it possible to bypass the enrolment software's security features all together.

Operators set up their own WhatsApp groups, YouTube channels and Google forums to help each other find ways to work around the UIDAI's security protocols. Over time, enrolment agency and WhatsApp groups came to resemble a low-tech version of the user-forum form of knowledge sharing that is hard-coded into the DNA of the internet.

Promising Access

When the the UIDAI terminated all private enrolment, the numerous WhatsApp groups focused their energies on ways of working around the system.

In October 2017, a few days after the UIDAI barred private operators, some operator WhatsApp groups lit up with the following message:

SCREENSHOT

"Aadhaar access Portal: Kisiko Chahe to contact karie'

(If anyone wants access to the Aadhaar Portal, Reach Out).

Many enrolment operators told HuffPost India that they did exactly that and, as a consequence, resumed enrolling people. The flaw they exploited, security experts told HuffPost India, could only be fixed by a thorough revamp of Aadhaar's system architecture.

"To have any hope of securing Aadhaar, the system design would have to be radically changed," said Gustaf Björksten, chief technologist at Access Now, a global technology policy and advocacy group, in the course of HuffPost India's three-month investigation into how UIDAI's enrolment software was compromised.

"To enrol someone, you first capture their biometrics and details, then prepare the enrolment packet," explained a former enrolment operator, seeking anonymity to speak freely. "In the final step, you need access to UIDAI's SFTP channel to upload the enrolment packet to the UIDAI's CIDR."

SFTP, or Secure File Transfer Protocol, is a way to securely transfer encrypted files. CIDR is the UIDAI's Central Identities Data Repository.

While the hacked enrolment software meant operators could capture the biometrics and personal details of Aadhaar enrollees offline, the operators still needed access to the UIDAI servers to upload the data.

This is where the network came in handy: many operators ostensibly blacklisted by the UIDAI found fresh work at new enrolment centres set up inside public sector banks, post offices and government departments. Most of them also stayed in touch with their old friends.

"So now, if we want to upload our enrolment packets, we just reach out to our old friends and ask them to upload our enrolment packets from their SFTP channels," a former enrolment operator said.

In the months that followed, WhatsApp groups monitored by HuffPost India continued to offer a variety of different ways to break into the Aadhaar framework. In one set of messages, for instance, a user offered to register blackmarket Aadhaar machines using the credentials of a public sector national bank, thereby fooling the Aadhaar system into thinking that the unauthorised operator was actually working for that bank.

While HuffPost India had the malicious enrolment software patch verified by three experts of international repute, we could not establish if the other scams worked, or if they were ploys to take advantage of desperate enrolment agents.

Operators interviewed by HuffPost India said they had little choice but to find imaginative ways to make money off the computers they had bought on loan, and the knowledge of the UIDAI system they had picked up on the job. As the Aadhaar ecosystem expands and more services are pulled into its orbit, the operators warned, security threats like these were likely to multiply.

"It is very easy for a VLE to get lured to Aadhaar services offered in the black market," said Ravneet Singh, the former CSC manager. "We can't let our children sleep without food.The heavy interest on our loans have multiplied the amount many times and makes it impossible for us to pay back."