A critical survey of the security and privacy aspects of the Aadhaar framework

Aadhaar is an identification document issued by the Unique Identification Authority of India (UIDAI) to the residents of India. It contains a 12-digit unique identification number (known as the Aadhaar number) and personal details such as name, address, date of birth and biometric data. The biometric data captured for Aadhaar includes fingerprints, facial images and iris scans, which are unique to each individual. The Aadhaar data is used for entity authentication while accessing various government services, availing subsidies, opening bank accounts and conducting other identity-dependent transactions. Thus, the Aadhaar framework provides efficient authentication services in India's public delivery systems. Although UIDAI has implemented stringent security measures such as encryption, access controls and regular audits of the system, the use of Aadhaar has raised several concerns regarding privacy and data security aspects. In this regard, only a handful of studies discuss the security challenges related to Aadhaar. Furthermore, the Aadhaar framework itself is always evolving, thus making prior studies less informative. This paper describes in detail the security features of the Aadhaar card while emphasizing the security challenges involving demographic and biometric data. We have also outlined the preventive measures that can be enforced to secure these data. Finally, this study investigates possible linkage attacks that could occur when different databases are linked for Aadhaar-enabled public schemes. Hence, our work summarizes the security and privacy implications of the Aadhaar infrastructure from a holistic perspective. We believe that our work would be useful for security professionals and policy makers engaged in designing large-scale authentication frameworks.