Better Aadhaar with Blockchain
Aadhaar is a brain-child of the Indian government to secure its residents’ fundamental rights to have an unforgeable identity. The Aadhaar project gives a unique 12 digit number to all its residents. This 12 digits number is known as the Aadhaar number. The proof of possession of a given Aadhaar number is backed by fingerprints and iris. Iris recognition is an automated method of biometric identification that uses mathematical pattern-recognition techniques on video images of one or both of the irises of an individual’s eyes, whose complex patterns are unique, stable, and can be seen from some distance.
According to a research done by the Unique ID project, which was initiated as part of Aadhaar, 10 fingerprints and facial bio-metrics are not just enough to guarantee the uniqueness of an identity among a 1.3+ billion population. It proposed to use iris as a third factor. Apart from DNA, iris seems to be the one which could uniquely identify a person with a very high accuracy rate.
Mexico is the first large country that has collected fingerprint, iris and face bio-metrics of the entire adult population, in order to provide social benefits. Prior to 2009, Mexico has had a comprehensive social security program for its residents which used a unique ID number, which was backed by fingerprints of two fingers.
Technical Overview
Aadhaar collects name, date of birth, gender, address, mobile/email (optional) of every resident (no need to be a citizen), and stores those against the corresponding fingerprints and iris patterns. At the time of this writing the project had successfully collected and stored more than 1 billion records. It’s a massive data store of personally identifiable information (PII) stored and managed centrally, by the government. As a deduplication practice all the biometrics stored are checked against existing ones at the point of enrollment and the 12 digits unique identifier is generated — that’s the Aadhaar number. The Aadhaar number is a reference identifier and it does not carry any kind of meaningful data in it.
Aadhaar authentication is the process wherein Aadhaar number, along with other attributes, including biometrics, are submitted online to the Central Identities Data Repository (CIDR) for its verification on the basis of information or data or documents available with it. Aadhaar authentication provides several ways in which a resident can authenticate themselves using the system. At a high level, authentication can be ‘Demographic Authentication’ and/or ‘Biometric Authentication’. During the authentication transaction, the resident’s record is first selected using the Aadhaar number and then the demographic/biometric inputs are matched against the stored data which was provided by the resident during enrollment/update process. Fingerprints in the input are matched against all stored 10 fingerprints. Aadhaar authentication API is not open for anyone. First you need to register with the Aadhaar and then keys will be provisioned to your system. Each authentication request must be signed by these keys, so Aadhaar knows from where the requests are generated.
The awesome design principle behind Aadhaar is, it does not try to solve any concrete problems. In India, only 30% of the population has a bank account — Aadhaar does not try to solve it. In India — there is a massive inefficiency in the distribution of government subsidies and does not reach the right people with right amounts all the time, due to many intermediaries — Aadhaar does not try to solve it. What aadhaar does is, building a solid foundation for others to build solutions on top of that. Aadhaar is the identity layer of a larger ecosystem that can be built around it to solve real world problems.
In short — Aadhaar builds a way to uniquely identify the residents in India. Since the identifier is unique, other systems can identify the user and correlate the user across different systems. For example, if you open a bank account with your Aadhaar number — the bank can independently verify your address and trustworthiness by connecting to other systems and correlate using the Aadhaar number.
With Aadhaar, you have nothing to loose. If you just know your Aadhaar number — you just prove the possession with your own fingerprints and iris. Neither a tsunami nor any other natural disaster can take your identity away from you. But, then again Aadhaar is a centralized system. All the centralized systems are honeypots — it’s just a matter of time. Whoever hacked into the Central Identities Data Repository (CIDR) can reveal the personally identifiable information of more than 1 billion users.
Drawbacks
Aadhaar is under the control of the Indian government. East or West, hardly ever can trust a government. If you are an activist against the ruling party — the government has the authority (possibly not legally) to track your login patterns — see which services you access. Since all the services rely on the Aadhaar number to correlate — one can change the biometrics recorded against your Aadhaar number to a something they have access to — and use those as the credentials to login to external services using your Aadhaar number. Or someone can change your address in Aadhaar — and all the other dependent systems will use that for all the communications and probably expose confidential details to a third party. Technically there can be many other measures to protect the system from such incidents — but if you own the system — and the system owner decides to do something — hardly such measures could act as a defense.
Aadhaar is not strong enough to prevent child trafficking. Children & kids above 1 year of age can apply for Aadhaar. Kids’ biometrics data, such as fingerprints, keep changing frequently up to 5 years of age. Therefore no biometric data will be collected for kids below 5 years age. For children below 5 years age, the Aadhaar number will be linked to their guardian / parents. When the child turns 5 years age, his/her biometric data will be collected and linked to his/her Aadhaar number. If you can bribe the system, you can break the link — and link the kid’s Aadhaar number to a different one.
Aadhaar & Blockchain
Blockchain was initially designed to solve the double spending problem of Bitcoin — peer to peer payment system. But since then, its applications have gone far beyond its original intended use. Following lists out some of the key properties of a public blockchain.
- Decentralized
- No trusted authority
- Immutable records
- Auditability
We can incorporate the above properties of blockchain — to make Aadhaar more transparent and publicly auditable. The Aadhaar system can publish all the changes against each user record to the blockchain. No need to reveal the data or the Aadhaar number — we can use the hash of both and record it in the blockchain. Now, whoever receives data from the CIDR can validate the hash of that data against the hash stored in the blockchain. If that matches — we know that there are no internal handling of the data. If not, someone has played with it. In this way, each individual can monitor changes happening against their Aadhaar record and immediately question the authorities. This will make Aadhaar more transparent, even though all the user records are maintained centrally.
