The UIDAI keeps stressing on the fact that the biometrics data is not tampered as a fig leaf in claiming successively more serious reports of data leaks and database breaches are not a matter of concern. To someone who understands technology even a little, this claim does not stand to scrutiny either. Here is how.
Biometric data is the key to unlock demographic data
You are not recognized by your fingerprints you do not sign cheque books with a fingerprint. People checking identification do not stare into your eyes to determine whether you are who you are. You are recognized by your demographic data. Your name. Your location. Your phone number. Your email address. Your age. And so on. This is the information stored against your Aadhaar number that gets validated using a biometric match or an OTP. This is so that 3rd parties know that the information provided to them is valid according to the Aadhaar database. A person with direct access to the original database does not need an OTP or biometric data to validate the original database! Validate against what? Itself?
So, the UIDAI commenting on a breach to the database that gives access to the demographics database by saying that the biometrics are not compromised is like standing in your ransacked home and repeatedly saying that the door lock was not tampered. It is more a statement of a person babbling in shock than anything disputing the fact that the breach has happened.
Can the UIDAI's biometric database be considered untampered?
Actually, also no. Given that the access breach reported by The Tribune involved access to both read as well as update demographics data, the attached biometrics are compromised as well. If unknown people have been editing the data to the point that access was being sold for as little as Rs.500, the biometrics data can NOT be considered untampered, because changing the demographics data can transfer the phone number to update the biometrics with someone else's biometrics as well. Even if this was not done, if the name and demographics details of the Aadhaar holder are changed, them authenticating their Aadhaar number will actually end up authenticating someone else.
If this is difficult to understand, try this scenario. Ramprasad Dashrathprasad Sharma, resident of Random Pradesh has aadhaar number 1111-2222-3333-4444. Laxmanprasad Sharma is a moneylaunderer and wants a fake ID. He pays 2000 rupess to a 500 rupee admin who edits Ramprasad's account details to those of one Laxmanprasad Sharma, resident of UIDAI's living room. Meanwhile Airtel messages Ramprasad to link his mobile with his Aadhaar. He lands up there dutifully with his Aadhaar card. Gives his Aadhaar card, operator sends number off to the database with Ramprasad's fingerprint. Database fills in all the fields of the account owner. Voila. Laxmanprasad just got himself an Airtel Payments Bank account. In the meanwhile, Ramprasad is dismayed by this "malfunction" and files a complaint with the 1947 era service pretending to be modern tech. Someone corrects his Aadhaar details for him. Or maybe he gets arrested for having a fraudulent Aadhaar.
What is the scale of fraud possible with access to the Aadhaar database without biometrics?
As pointed out earlier, if you are in the database, you don't need a key to authenticate data, because you have direct access to the data. So, with a 500 rupee login, a fraudulent bank salesman could sit at home and create a hundred accounts per day to give away for money laundering. Remember what happened in the Airtel Payments Bank scam? The bank did not actually validate the Aadhaar at all? It simply lifted the validated details off Airtel Mobile. If the bank knows the details are valid, it doesn't need authentication. Demographics are enough to create an account. So.... yep. Any person with authority to open bank accounts could use the data from the database to not just open accounts, but to link them to the Aadhaar bridge and hijack their payments that come through the bridge - like subsidies or Aadhaar pay transfers. Neat, no?
If you have understood this far, I believe your own brain is capable of throwing up countless ways direct access to a database does not need authentication and can be easily misused. Basically, the summary of this long post is that Aadhaar is irreparably broken and while it exists and can be claimed as an authentication for anything, the consent of the Aadhaar holder can easily be bypassed putting the security of the whole country at risk. Aadhaar must go.
Aadhaar is beyond broken. It cannot be fixed. Its very existence is a security threat. What needs to be done is for the Aadhaar project to be scrapped immediately and countless bogus databases proliferated so that people attempting to misuse have no way of knowing whether the data they have is authentic or can get them arrested. This of course will not eliminate the risk of those already having authentic details misusing them, but it will help reduce further proliferation at least a little.