India's Citizen ID System Is Leaking, Again!

            Hey, reader! You are receiving this email as part of your subscription to the Post Notifications list in your membership. You can opt out of that here.
          

India's Citizen ID System Is Leaking, Again!

            Author: Mark Bruno

What is Aadhaar?

            To non-Indian readers, imagine if your state ID was directly tied to your biometric data, creating a unique number based on these data points, and generating an immutable digital identity. Without this ID, you might face barriers accessing basic state services, such as food subsidies or welfare payments, and may even encounter difficulty opening a bank account or filing taxes. Though Aadhaar was intended to streamline service delivery, it has gradually become a de facto requirement for participation in many aspects of public and economic life.

            Aadhaar is the world’s largest biometric identification program, created in 2009 by the Indian government. It’s a 12-digit unique identification number, issued to residents based on their biometric data and demographic information. While on the books, it’s technically voluntary, modern Indian life is largely inaccessible without it, particularly for millions of low-income residents.

            Did I mention that one of the biometric data points collected is an iris scan?

            Aadhaar is increasingly used in areas far beyond its original purpose of being a form of state ID, and naturally has caused concern about potential abuse in mass surveillance.

A History of Failures

            There’s been a history of massive data leaks with Aadhaar. One such data breach exposed the personal information of approximately 815 million Indians. This exposed data included names, phone numbers, addresses, Aadhaar numbers, and passport information.

            Sometimes the “leaks” take the form of negligence by the government that can really only be described as “absolutely fucking stupid”. In a 2017 incident, no less than 200 government websites had accidentally made public the PII of every Aadhaar enrollee that was using their services.

            Because of this, it shouldn’t shock anyone that millions of Indians’ PII is effectively flying all over the internet. A casual search will usually provide any number of samples from previous data leaks, re-packaged. And again, the Aadhaar is immutable. There is no mechanism in place to provide you with a new number if you’re exposed. With enough hard work, anyone with an internet connection could steal nearly any Indian citizen’s identity and follow them for life.

            The latest is a supposedly fresh leak of five million records:
          

            Again, it could just be another loser re-publishing the data from the 2017 leaks… or the 2023 leaks. But this is kind of the point: unlike a lot of other old datasets that are published and might not be able to do any damage, the immutable nature of Aadhaar adds to the impact’s permanence. Once something’s leaked, it’s leaked. Other massive public data breaches are like putting toothpaste back into millions of tubes. When Aadhaar leaks, it’s just vapor. There’s no getting it back.
          

            Categories: Central Asia, Infosec, OSINT, trace

            Read on the Website
          

            Stay safe, and always remember:🦉Hail Moloch!🐂
          

Unsubscribe | Manage your subscription