Naysayers ready to do what it takes to see Aadhaar fail: Sivarama Krishnan, PwC

Amidst all the furore around Aadhaar being used for eKYC and UIDAI’s supposed ineptitude, PwC’s cybersecurity leader Sivarama Krishnan denounces the practice of media calling every vulnerability a breach. And he’s got a point.


Akin to Arjun Tendulkar making his cricketing debut, Aadhaar has been critically scrutinized, debated over, and viewed cynically even before it was rolled out.

In a no-holds-barred interview with Sivarama Krishnan, cybersecurity leader at PwC, he brings to light the negative publicity around Aadhaar and the challenges UIDAI faces in keeping this behemoth running.

So are we being over-critical of Aadhaar?

"I see a heightened interest among naysayers who are ready to do what it takes to see Aadhaar fail. It appears that the agenda is being driven by vested interests." 

Krishnan says that the problem arises due to the enrollment software developed way back in 2009. In 2009, Java Technologies offered the only solution available for a distributed data collection. 

Information was collected at Aadhaar enrollment centers, and many controls were built into the Aadhaar application. “You can't make a military-grade application for a distributor to collect data from 130 crore citizens in the most cost-effective manner,” says Krishnan.

So the government developed an application on Java and then leased the application to contracted agencies that in turn signed up with vendors. Krishnan believes that the application should not have been released to the public. 

Once the data is collected, it is encrypted by UIDAI and stored in a central system. The central system carries out a series of checks and process before issuing an Aadhaar number. He says that there's a central control that is being set up in UIDAI. 

So how big a deal is Aadhaar vulnerability?

Krishnan believes that vulnerabilities exist in every system, from any part of the world. The question to be asked is "Can the vulnerability be exploited?" Every exploit, he says, is not necessarily a breach.

He explains that post 2012, a lot of Java breaks were available online, using which a Java code could be decompiled. Once decompiled, any localized control or any coding that is set up can be modified. Now, once modified, the program can only work locally, and not on the central systems. 

During the enrollment process, the software is not connected to the central database - it is a local software running on a local machine. 

"Following every incident, there's a huge uproar about UIDAI being breached and that it's in denial mode. However, the UIDAI denies any lapse because every vulnerability is presumed to be a breach, but it is not so," explains Krishnan.

He added that in 2008-09, owing to the unavailability of adequate bandwidth, creating a fully controllable central database was a challenge. The fact that we have to send our software to other countries, like US and France, for validation is nothing to be proud of.