--- title: "Concerned Citizens Call For Independent Audit Of Aadhaar Database" description: "In a shocking security breach of Aadhaar, India’s biometric ID project for residents, the police have arrested 10 men in Uttar Pradesh in North India for successfully creating fake biometrics identiti..." pubDate: 2017-09-11 author: Rethink Aadhaar category: Uncategorized originalUrl: https://rethinkaadhaar.in/blog/concerned-citizens-call-for-independent-audit-of-aadhaar-database --- In a shocking security breach of Aadhaar, India’s biometric ID project for residents, the police have arrested 10 men in Uttar Pradesh in North India for successfully creating fake biometrics identities in the Aadhaar database, by cloning fingerprints. On September 11, the Uttar Pradesh Special Task Force caught a 10-member gang who have been impersonating the credentials of certified Aadhaar operators both by faking the operators’ fingerprints using photopolymer resin, and by illegally cracking open enrollment software of the Unique Identification Authority of India (UIDAI). As per news reports, the criminal gang lifted the fingerprints of the operators sub-contracted by the UIDAI, printing the fingerprints on a butter paper. Additionally, they illegally used a software vulnerability to bypass the iris authentication check established by the government. Such a breach would allow any one to send enrollment packets into the Central Identities Data Repository, where all biometrics and demographics data of Indian residents are stored. News reports indicate the revenue model of this latest theft was abased on selling kits of software, and fingerprints at Rs 5,000 each, which allowed people to run fake enrollment agencies. The police team claimed in raids, they found “[38 cloned fingerprints on paper, 46 cloned fingerprints made of a chemical](http://indianexpress.com/article/india/stf-arrests-10-for-making-illegal-aadhaar-cards-4837709/), 12 mobile phones, two Aadhaar finger scanners, two retina scanners, eight rubber stamps, 18 Aadhaar cards”, according to an Indian Express report. The investigation is still on, and Uttar Pradesh Special Task Force have said the network operating the latest Aadhaar scam may extend to several states. We demand that the UIDAI: - Immediately halt coerced enrollment, linking of services and existing IDs to Aadhaar; withdraw of all notifications issues under section 7 of Aadhaar Act mandating Aadhaar for essential services- Independent audit of Aadhaar database, by a public agency with public representation - That UIDAI immediately notify and compensate unsuspecting residents whose personal biometrics data may have been compromised at these fake enrollment centers- UIDAI make public the records of when did the details of the Uttar Pradesh STF police investigation and raids first come to light, for how long and in how many states have such security breaches been found so far- UIDAI must explain to Standing Committee on Home Affairs how many instances of breach / attempt to breach of Aadhaar database has been notified to UIDAI and what has been the action taken by UIDAI in all such cases?## What this latest breach meansThe latest incident is a shocking breach of public trust. The government claims Aadhaar is more foolproof than any existing Proof of Identity and Proof of Address documents because it is accompanied by biometrics. As per the UIDAI, only authorized agents can do enrollment, and all enrollment must be validated by the operator's finger print and iris along, with their Aadhaar number. This breach shows a poor process of approving who could be doing the enrollments as unaudited and unverified enrollments entered the CIDR central database. This attack shows the government’s claims to be false and makes approved enrollments in the CIDR made via these compromised operator accounts worthless. In this latest security breach, the criminal gang had successfully cracked open the enrollment software. Official statements and news reports on silent on how this was done. The result was that they were able to send enrollments into CIDR by impersonating the credentials of certified operators. The latest incident shows the UIDAI is unable to guarantee the veracity of data in the Aadhaar repository. It has failed to guarantee the security of residents’ identity information, including core biometrics which cannot be replaced. Experts have also warned that if a fingerprint can be faked on a high resolution scanner used during enrollment, it can definitely be faked on the low resolution scanners used during authentication. Aadhaar-based biometric scams, identity theft are now a real risk for the poor, especially those with less access to digital literacy.