Aadhaar in the hand of spies

Aadhaar, the 12-digit number linked to the fingerprints and iris patterns of most Indians, the key to unlocking government for the citizen, is a security nightmare in a world where big data and a handful of global defence contractors control the technology for biometric solutions. If information warfare is the way of the future—as Brexit and the Trump campaign show it need not be rooted in facts—select companies and the small circle of protagonists behind them have proprietary tools and the world’s best expertise to access, mine and manipulate data belonging to governments and citizens for desired outcomes.
In the post 9/11 world, the west’s military-industrial complex, fed by wars across continents, is stronger than ever. It is funded in part by America’s Central Intelligence Agency (CIA) and the National Security Agency (NSA), the mass surveillance behemoth; billionaires with agendas; and populated by a revolving-door of key American security and intelligence personnel. Cambridge Analytica, Palantir Technologies and the Chertoff Group are among these corporations.
The Unique Identity Authority of India (UIDAI) in 2010-2012—its inception phase—awarded contracts to three US-based biometric service providers (BSP): L-1 Identity Solutions, Morpho-Safran, and Accenture Services Pvt. Ltd. These companies, all with proprietary biometric software, were responsible for profiling 60 crore Indian residents; developing protocols for avoiding de-duplicating of user details and supplying devices to enrolment agencies.
An investigation by Fountain Ink shows that the companies contracted by UIDAI to process the information are connected to both Cambridge Analytica and Palantir Technologies through business dealings and individuals involved in their affairs during the period of the contract. L-1 Identity Solutions, Morpho-Safran and Accenture have scores of business contracts with American, French and British intelligence and defence agencies through direct contracting of services or services provided by parent corporations and sister companies. Several individuals who worked at these companies have held top positions in the CIA, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and the US military before making the switch.
Following the business links, partnerships and associations, investments and cross-holdings of the individuals and companies involved, situates biometric technology and persons involved in delivering Aadhaar in the midst of a labyrinth of interlocking relationships and conflicts of interest within the intelligence-industry complex. In an ecosystem where intelligence analysis is increasingly outsourced to private firms, these relationships fudge the distinctions between government and corporate, private and public, civilian and military.
This includes dealings and relationships with companies that work with NSA, and at least one involved in online monitoring of data for the US Secret Service as part of the PRISM programme exposed by whistle blower and former NSA contractor Edward Snowden. UIDAI, as far as is known, did not do a background check on these companies or their business, professional and personal associations. Or as shown by the contracts given to these companies and accessed through RTI, insist on technological safeguards against the possibility of illegal data theft, destruction or manipulation by foreign State actors through back doors or malware.
Fountain Ink has reviewed the contract between the BSPs and UIDAI and found that they had access to unencrypted biometric data as part of their job, contrary to UIDAI’s public stand that the data is always encrypted and inaccessible. A set of written questions sent to UIDAI and its top officials didn’t receive any response.
After Edward Snowden’s revelations that NSA is collecting data from Google, Facebook and Yahoo, Bloomberg News reported that thousands of technology, finance and manufacturing companies shared sensitive data with US national security agencies in exchange for favours. The Bloomberg report said that the arrangement was so sensitive that it was brokered in direct meetings between company CEOs and the heads of intelligence services and implemented by a handful of people. The NSA has been known to spy on other nations.
Fountain Ink has reviewed the contract between the BSPs and UIDAI and found that they had access to unencrypted biometric data as part of their job, contrary to UIDAI’s public stand that the data is always encrypted and inaccessible. A set of written questions sent to UIDAI and its top officials didn’t receive any response.
Investigative journalist and the author of the 2008 book Spies for Hire: The secret world of intelligence outsourcing, Tim Shorrock said he has so far not found any evidence of intelligence agencies leveraging their revolving door connections with private players for information. “However, given the connections to US intelligence of these former high-ranking US officials, I would say it is very risky for India to be turning over such a vast database to private companies, particularly from a foreign power. Many of these former officials keep their security clearances after they leave government and often have access to highly classified intelligence information that ordinary executives do not have. When Indian and US national security interests diverge, as they often do, these revolving door figures could make decisions about their biometric contracts that could be detrimental to India and favourable to the US. India would be better off depending on its own technology and technology companies,” he said.
On May 7, The Guardian published a story that connected the dots in a hazy picture which started emerging gradually in the months after the shock of Brexit and Trump. Drawing upon months of investigations by British, German and American journalists, the story revealed how a reclusive American billionaire used a network of influential friends and associates in tech firms, political parties and far-right news outlets to drive electoral results in favour of two desired outcomes—a British vote for exiting the European Union, and a victory for Donald Trump in the US election. The story pointed to a level of coordination between the players involved, the Trump campaign, the Leave EU campaign, Nigel Farage, the head of UKIP, and Robert Mercer, hedge fund billionaire and computer scientist.
At the heart of the revolution in the global order that this motley group of anti-establishment allies brought about is a data analysis company that Mercer funded. Cambridge Analytica, which worked for Trump’s election campaign and the Leave EU campaign, married data gathering and artificial intelligence with psy-ops—psychological propaganda techniques developed by the US military to change enemy behaviour. In this case, the targets were US and UK citizens.
What gave Cambridge Analytica the power to profile entire populations? Facebook. Every time any of us like a picture or video that a friend shared, show support for a cause by liking that clever meme, or disliking a snarky comment by a troll, we leave digital footprints that say something about our personalities. In 2014, Cambridge Analytica built an algorithm based on research it contracted a Cambridge scientist to conduct. AleksandrKogan paid Facebook users to take a personality test that allowed him to mine not only their data, but also of everyone on their friends’ network. Using this, Kogan built what the company calls “psychometric” profiles of users. Cambridge Analytica then combined this data with voter data they bought from other commercial sources: email addresses, phone numbers, home addresses. This purportedly allowed the Trump campaign (and in UK, the Brexit campaign) to target ads at individuals based on their psychological traits and to find key emotional triggers. People high on a neuroticism scale, for example, could be targeted with messages about immigrants taking away jobs.