SoK: A Billion Souls: A Security & Privacy Review of India’s “Aadhaar” Biometric ID

Abstract

India’s Aadhaar is the largest biometric identity system in history. The Unique Identification Authority of India (UIDAI) is responsible for providing each Indian resident with a distinct identity—a 12-digit Aadhaar number— using their biometric and demographic details. Aadhaar is designed to assist in the efficient, transparent, and targeted delivery of subsidies, benefits, and services to India’s 1.36 billion residents. However, with increasing global awareness on data security and privacy, public trust in Aadhaar is crucial to its efficacy. With this in mind, we aim to highlight and catalogue the existing technical and structural vulnerabilities in the Aadhaar infrastructure and provide mitigation strategies for the same. We do so by drawing the first detailed snapshot of Aadhaar’s technical, structural, and policy infrastructure. We examine the legitimacy of alleged security breaches reported by Indian media outlets based on the standard benchmark for information security—– the Confidentiality, Integrity, and Availability (CIA) triad. Moreover, we categorise the feasibility of these breaches based on the threat actor involved, cost of carrying out the breach (time and resources) and the level of security provided by the Aadhaar infrastructure. Finally, we also consider threat actors and privacy breaches to complete our analysis.

Publication
Manuscript in preparation
Pratyush Ranjan Tiwari
Pratyush Ranjan Tiwari

Training to be a better cryptographer everyday.