Will Aadhaar's New AI-Based Security Successfully Prevent Data Breaches?
The structural issues with biometric security are not addressed by the new security system designed to guard against fingerprint spoofing, according to experts.
The Unique Identification Authority of India (UIDAI) rolled out a new artificial intelligence-based security mechanism for fingerprint authentication earlier this week that aims to detect attempts of fingerprint spoofing faster.
According to the press release, this would make the "Aadhaar authentication transactions even more robust and secure".
How will the new security mechanism work?
The artificial intelligence and machine learning (AI/ML) based security mechanism has been developed "in-house". The mechanism will use a combination of both finger minutia and finger image in order to check the "liveness" or the genuineness of the fingerprint captured. In a fingerprint image, the ridges appear as dark lines and the valleys are the light areas between the ridges. Minutia points are the locations where a ridge ends or bifurcates.
The AI-based mechanism will be a two-factor/layer authentication for enhanced data security. According to the release, the new implementation will be beneficial for sectors like banking, finance, and telecom. "It will also benefit bottom of the pyramid as it will further strengthen the Aadhaar enabled payment system and curb malicious attempts by unscrupulous elements", the release read.
It has already been rolled out and is now fully functional.
Still missing the point?
Speaking to BOOM, Srinivas Kodali, a researcher with Free Software Movement of India, said, "Every time a new security mechanism is brought in, people find a new way to breach it. The problem lies with the protection of biometrics, checking the 'liveness" of it will not solve the structural problems of security."
Citing the example of fraud reported after biometric verification during the Bihar panchayat elections in 2022, Kodali said, "Using biometrics as passwords is as it is very problematic, and now we are focusing on building everything around it." During the elections, a fraudster took out money from the accounts of voters by taking their "fingerprints on his phone before they had put their fingerprints in the biometric machine to cast their votes", The Hindustan Times reported.
This isn't the only case where biometrics have been misused. In January 2019, a former Aadhaar operator's biometrics were misused to withdraw money from two of his accounts, in Jind, Haryana. Similarly, in 2020, the biometric data of a 58-year-old woman, based in Kolkata, was misused to obtain a sim card and commit other crimes in Rajasthan.
In another case of identity theft, a private company in Chennai had been gathering private biometric information on thousands of individuals in order to verify who was eligible for a welfare programme on behalf of the Greater Chennai Corporation. This counterfeit programme had been running since 2015, until it got busted in 2022.
According to Prateek Waghre, policy director at Internet Freedom Foundation, "The press release does not give away much about the technique of the new AI mechanism. We could only guess that it would be used to tell apart a real fingerprint from, maybe, a prosthetic or a dummy one. However, the security mechanism will not change the underlying issues with the use of biometrics, that is, we cannot do anything to protect the data once it is compromised."
What is the need of the hour?
Speaking to BOOM, Mishi Choudhary, a technology lawyer with Software Freedom Law Centre, said, "For robust security against data breaches, The Government of India needs law, policy and private sector tools. Like the Biden Administration, there needs to be a comprehensive review and strategy against breaches, hacking and ransomware."
Talking about India's Data Protection Bill, Waghre said, "There were multiple versions of the 2017 Bill, which were ultimately withdrawn in 2021. The latest version was drafted in November, last year but has not been tabled in the Parliament yet."
According to Waghre, the biggest problem, even with the recent version, remains that the state can still collect our data and can choose to exempt themselves from any obligations under this. "This defeats the purpose of the law itself," he added. Delving into the basis of the problem, Waghre said, "In the face of a data breach, the first step by our government authority is denial, which speaks much about their stance on the matter of security."
Do you always want to share the authentic news with your friends?