What the Next Generation of Digital IDs Can Learn from the First

In September of 2023, a Moody’s report aired concerns about Aadhaar, the pioneering government digital ID service used by over one billion Indian citizens. Though it has mitigated fraud and helped countless Indians access services more easily, Moody’s argued Aadhaar posed major privacy and security risks, in large part thanks to its centralization.

India rebutted the concerns, stating in part that “to date no breach has been reported from Aadhaar database.”

Just months later, Aadhaar suffered an immense data theft.

The extremely sensitive personal data of nearly 800 million Indians appeared for sale on black-market forums for a mere $80,000. This included not only their Aadhaar numbers, but their addresses, phone numbers, passport numbers, and more – and despite the government’s protestations, known thefts of Aadhaar data go all the way back to 2012. This doesn’t just expose Indians to payments, benefits, and banking fraud; it is also a vector for national security risk. Some might even argue these harms outweigh the benefits of the system.

Other pioneering digital ID systems worldwide, including China’s RealDID, verification providers relying on data brokers, and digital services that aggregate user data, have also shown centralization risks. These include not just lax cybersecurity but misuse by controlling authorities themselves. The trend of transitioning to digitally native identification systems is clear. Still, the next generation of these systems must learn from the flaws and failures of pioneers – above all, by shifting away from centralized models that turn governments or corporations into ripe targets for criminals.

The Curse of the Innovator

Aadhaar was a hugely forward-thinking project when it launched in 2010, and it’s now the largest digital ID system in the world. There is no doubt that it provides immense utility to its user base of over a billion enrolled Indians. However, early projects in any realm can fall victim to the so-called “curse of the innovator” by failing to adopt new ideas following their creation. Several specific innovations, if they’re adopted by future digital ID projects, could help prevent breaches like the 2023 Aadhaar attack and other kinds of centralization risks.

Decentralization

As Moody’s pointed out, Aadhaar’s biggest flaw may be its centralization, with data and authorizations controlled by the Unique Identity Authority of India, or UIDAI. Centralization of digital identity credentials creates three related problems.

First, Aadhaar has a single point of failure – there have been many cases of benefits denial because the UIDAI couldn’t confirm a user’s identity. Second, centralization makes systems vulnerable to exploitation because all confirmations come from the same authority. For instance, Indian gangs have learned how to exploit the Aadhaar system to generate fake identities – and UIDAI has refused to disclose how many fake identities may be in the wild.

Third and most concerning, the centralization of Aadhaar’s identity data makes it an irresistible honeypot for cybercriminals. Particularly scary is that biometric data, including thousands of fingerprints, has been repeatedly stolen and for use in fraud schemes. This data would allow an attacker to create targeted biometric spoofing attacks, which could defeat both remote and physical identity verification systems. The theft of biometric data is particularly damaging because it is essentially irreversible – unlike a password, you can’t “reset” your fingerprints. 

In recent years, we have seen significant progress on models that prevent single points of failure or mass, single-target data theft. In these architectures, data can be distributed to the edges instead of accumulating in a central government database. Under this type of distributed scheme, far less data is stored by any one authority, with identity instead affirmed by various authorities, such as schools, utility companies, and government agencies. This approach is far more aligned with “zero-trust” approaches to security, and as a result, there’s no “one-stop shop” where hackers can steal or fabricate credentials.

Zero-Knowledge Attestation

According to analysis by the firm Resecurity, Aadhaar leaks have been caused in part by security breaches at third parties, such as utilities, which had downloaded sensitive data from Aadhaar servers and stored them. Until software supply chains are secured-by-default, these common utilities are likely to suffer ongoing compromises, as seen in the recent high-impact “xz Utils” and MOVEit exploits. Innovations in cryptography, including a technique known as “zero-knowledge proofs,” now make it possible to affirm certain data without revealing it to the requester, thereby reducing (or even eliminating) the need for data transfers and the use of intermediate tools that can mishandle sensitive data.

For instance, a third party could confirm the match of a person’s biometric data without actually accessing a raw fingerprint or iris scan. Worldcoin, the Sam Altman-founded global ID startup, uses cryptographic “hashes” of users’ iris scans, rather than the raw data, to establish unique identity. This should prevent the theft of iris data – though this particular technique must be combined with several additional components and precautions to become a complete system that can combat disincentives and misuse.

Robust Data Siloing

Third parties that store sensitive data also often add more data of their own, violating the principle of “data siloing.” For instance, the 2023 Aadhaar hack included full packages combining ID numbers with biometrics, passport numbers, addresses, and phone numbers.

This unfolded largely because over time, Aadhaar identity numbers became required for more and more services. As one critic wrote back in 2018, “This turns Aadhaar into a dangerous bridge between these previously isolated silos. With each new data silo that gets linked, an important protection against 360-degree profiling gets weakened, leaving Indians vulnerable to data mining and identity theft.”

In addition to cryptographic methods that prevent third parties from reading raw identity data, the use of hardware security components can keep identity data from circulating while keeping attestations trustworthy.

Distributed Authority

One of the most disturbing uses of a digital identity system was reported by the New York Times, which covered a Chinese authority’s use of COVID-19 health codes to control the movement of citizens protesting the freezing of their bank accounts. While details remain unclear, it appears that authorities may have matched the identities of the owners of frozen accounts to their health registration accounts, allowing them to flag potential protestors as COVID risks.

This represents a kind of security breach where a system is used to accomplish unrelated (and potentially illegitimate) goals. As Chinese critics pointed out, this isn’t simply a one-time abuse, but undermines long-term faith and public trust in the identity system. Broadly, this is more evidence in favor of decentralized identity systems – not only separating data across authorities, but separating command and control functions from data entirely. With carefully designed digital identity architecture, “should not be abused” can become “cannot be abused.”

Instead of having one central IT department control all of a society’s digital identity and credentials, it is possible to build decentralized architectures that allow multiple authorities with additional checks and balances, transparency requirements, and improved individual control. This clear separation of powers can ensure that powerful financial, healthcare, and security systems cannot collude against an individual.

Distributed Identity For a Safer, Freer Digital Future

The mixed track record of digital identity services so far demonstrates how important it is to design them from the ground up with the right priorities: privacy, security, and individual control. These overriding goals have become more obvious thanks to the experimentation of early adopters, and technological solutions for achieving them have also emerged over time.

With identity systems, it’s not enough to say that systems won’t be compromised, relying on the expertise or ethics of human authorities. Instead, the systems must be built from the ground up with many layers of protection so they can’t be compromised. While there are still details to fill in, ID systems that are architected to use distributed data storage, advanced cryptography, and information minimization are the way to reach that goal. While these services have their flaws, they also have immense potential to provide public utility and fight fraud.

We must learn from programs that have paved the way, such as Aadhar, and ensure that we can enjoy the benefits of digital identity without compromising security or individual freedoms such as free speech, privacy, and user choice.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.