India is one of the fastest-growing digital markets in the world, with a large and diverse population of internet users, online content creators, digital service providers, and tech start-ups. According to a report by Bain & Company and Google, India had 622 million internet users and 342 million smartphone users in 2020, and these numbers are expected to reach 970 million and 650 million respectively by 2025.
Aadhaar has served as a unique digital identifier and formed the base for the digital ecosystem for the citizen-centric government that achieved phenomenal financial inclusion of the last mile. The digital ecosystem was challenged by the breach of Aadhaar data. In the recent past, there have been numerous instances of Aadhaar data being exposed online by various agencies. Centre for Internet and Society, a Bengaluru-based organisation (CIS) found that data of over 130 million Aadhaar card holders has been leaked from just four government websites. The World Economic Forum's (WEF's) Global Risks Report 2019, says, "The largest (data breach) was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens." More than 200 central and state government websites publicly displayed details such as names and addresses of some Aadhaar beneficiaries, as identified by the Unique Identification Authority of India (UIDAI). In Jharkhand, a programming error on a website maintained by the Jharkhand Directorate of Social Security revealed the names, addresses, Aadhaar numbers, and bank account details of over 1.4 million pensioners.
Such a breach of data privacy called for immediate data security and protection mandate. With an objective to ensure privacy of Aadhaar Numbers and its related data, the Unique Identification Authority of India (UIDAI), vide its circular of 2017, which made it compulsory to store all Aadhaar Numbers collected by authentication user Agency (AUA)/e-KYC user Agency (KUA)/Sub-AUAs/ or any other agency in a Centralized Dedicated storage in encrypted form identified as “Aadhaar Data Vault” (ADV). Aadhaar Data Vault enables e-Governance applications in eliminating Aadhaar footprint in the IT eco-system and builds an abstraction layer (Reference Key) to safeguard Aadhaar Numbers and their related data. This will eventually result in a low risk of unauthorized access to Aadhaar Cards within the organisation's systems. This is like building a high-security wall around a castle, with multiple layers of defense that will keep out unwelcome intruders. By having a secure data layer, it ensures that the sensitive information stored within is safe and sound.
All the agencies which store Aadhaar Numbers in a structured and electronic form for internal identification purposes such as attendance management, ration delivery, scholarship delivery, financial transactions (PFMS) etc. may use Aadhaar Data Vault Service which eventually results in low risk of unauthorized access of Aadhaar Numbers and its related data within organization systems.
Challenges addressed by Aadhaar Data Vault
1. To reduce the digital footprint of Aadhaar data
Aadhaar number is used as a primary identity for the residents by various user organizations like banks, telecom operators, government departments, private sectors etc. which has increased the footprint of Aadhaar and reduce the risk of leakage. Hence it is important to reduce the footprint of Aadhaar number as a security measure.
2. Prevent 360-degree profiling of residents
Since Aadhaar number is being used across different organizations and departments for service delivery, there are chances of 360-degree profiling of a resident . Hence, the use of reference key will prevent such threats and make the Aadhaar ecosystem more secure and robust.
3. Cease the usage of Aadhaar as domain-specific identifier
For better decoupling and independent evolution of various systems, it is necessary that Aadhaar number never be used as a domain-specific identifier. In addition, domain-specific identifiers need to be revoked and/or re-issued and hence the usage of Aadhaar number as the identifier does not work as Aadhaar number is a permanent lifetime number. - Audit and compliance checklist on UIDAI website, A1 (Security Framework Policies for AUA-Mandatory), point 1. An identifier is a name or code that uniquely identifies an object within a system. In this context, the term "domain-specific" means that the identifier is only used within a specific system or application, and is not meant to be universally unique.
About Aadhaar Data Vault
Aadhaar Data Vault is a centralized storage for all the Aadhaar numbers collected by the AUAs/KUAs/Sub-AUAs/ or any other agency for specific purposes under Aadhaar Act and Regulations, 2016. It is a secure system inside the respective agency’s infrastructure accessible only on need to know basis Similar to the tokenisation strategy, the Aadhaar data vault consists of reference key, which is a unique token to represent the Aadhaar number in the entire internal ecosystem of the agency. Mapping of reference key and Aadhaar number is maintained in the Aadhaar Data Vault. This is similar to a lock and key system, where the reference key is the key that unlocks the Aadhaar data vault, and the Aadhaar number is the lock that needs to be opened.
Components
- UID Tokenization Manager: Stores 72-character UID token in every response from UIDAI. The Tokenization Manager is the first point of contact for all sensitive data, and it does its job by encrypting the data and storing it in a safe and secure Data Vault. Once the data is encrypted and stored, the Tokenization Manager creates a Reference Key for that data. This Reference Key is then used to track the data as it moves through the organization, from one application to another, and eventually to the databases where it will be stored.
- Vault Database: Stores all Aadhaar numbers in an encrypted format with other related data
- Vault Service: Generates reference key, encrypted Aadhaar number and provides reference number to the client. This vault is called the Data Repository and it acts as a central hub where all the information is stored. Inside the Data Repository, the Aadhaar number, hash value and the corresponding Reference Key number are all encrypted and securely stored.
- Digital Sign Certificate: Private/ public key certificate procured by the AUA
- Hardware Security Module (HSM): It comprises all the processes that are used to create, store, distribute, archive, delete the master keys, key versioning and auto rotation of the encryption keys within the HSM appliance without any downtime.
- Bulk Transformation Utility: It’s a utility tool that seamlessly converts Aadhaar number to a Reference Key number and vice-versa using the CSV file format.
- Aadhaar Number Encryption and Reference key: Unique Key for all transactions with only internal systems having access to the Aadhaar Data Vault. The Reference Key number can be accessed, processed and transmitted throughout the organization as needed, but the encrypted Aadhaar data remains locked away inside the Data Vault.
Benefits
- Ensures data privacy due to high-grade encryption technology
- Data security during transit as well as rest mode
- Seamless compliance with dynamic UIDAI guidelines
- API- based solution helps in easy integration with other systems
- Automatic access control along with key management
- Easier and frictionless access to government services by citizens
- Raises government transparency by providing a centralized platform for collecting and storing Aadhaar-related information
- Reducing identity theft and frauds
Aadhaar Vault is a great step to vault the digital economy, as it reassures the faith of the citizens. The digital transaction needs data privacy and security which can only be possible if there are stringent mandates of the usage with strong tech support. Vaulting ensures a secure digital ecosystem opening new avenues of possibilities and innovation and promoting the nation’s growth.
