India’s national scheme holds the personal data of more than 1.13 billion citizens and residents of India within a unique ID system branded as Aadhaar, which means “foundation” in Hindi. But as more and more evidence reveals that the government is not keeping this information private, the actual foundation of the system appears shaky at best.
On January 4, 2018, The Tribune of India, a news outlet based out of Chandigarh, created a firestorm when it reported that people were selling access to Aadhaar data on WhatsApp, for alarmingly low prices.
— The Tribune (@thetribunechd) January 3, 2018
The investigation followed a man named Bharat Bhushan Gupta, a village-level entrepreneur who was lured into buying access to the database by people who approached him on WhatsApp. Gupta later realized that he had access to much more information than he’d asked for.
Concerned about what this might mean for ID holders, Gupta attempted to notify the Unique Identity Authority of India (UIDAI), the agency responsible for issuing Aadhaar numbers, about the problem, but was unable to confirm that UIDAI was aware of or addressing the problem. Gupta is one of 270,000 such village-level entrepreneurs who operate Common Service Centres responsible for various e-services between governments, businesses, and citizens.
He then approached Tribune journalist Rachna Khaira, who undertook the investigation.
Following the investigation, India Today conducted a “sting operation” of their own to confirm the findings of the Tribune reporter.
— India Today (@IndiaToday) January 5, 2018
Inconsistent Responses From Government
The UIDAI’s response to the breach was to file a criminal complaint against Rachna Khaira, who conducted the investigation into the breach of personal data and called it “misreporting.” When the Editors Guild condemned penalizing the reporter, the UIDAI’s response was to justify their action.
By the logic of this release investigative agencies should file cases against all journalists who do an expose. Sham defence. @UIDAI should withdraw FIR against journalist who broke #AadharLeaks Agency has track record of intimidating whistleblowers. Can’t browbeat civil society. pic.twitter.com/FIUOtvsR9D
— Rahul Kanwal (@rahulkanwal) January 7, 2018
The Information Technology Minister, Ravishankar Prasad made a statement:
Govt. is fully committed to freedom of Press as well as to maintaining security & sanctity of #Aadhaar for India’s development. FIR is against unknown. I’ve suggested @UIDAI to request Tribune & it’s journalist to give all assistance to police in investigating real offenders.
— Ravi Shankar Prasad (@rsprasad) January 8, 2018
This is not the first time that the UIDAI has “shot the messenger,” so to speak. In early 2017, UIDAI filed a criminal complaint against CNN-News 18 journalist Debayan Ray for conducting an investigation in which he created two Aadhaar enrollment IDs using the same set of biometrics.
UIDAI filed a second complaint against entrepreneur Sameer Kochchar after he blogged about how Aadhaar can be hacked through a “biometric replay attack.” In all three cases, the UIDAI says that the claims made are “misleading.”
“Leaky” By Design
The Aadhaar unique identification number ties together several pieces of a person’s demographic and biometric information, including their photograph, fingerprints, home address, and other personal information. This information is all stored in a centralized database, which is then made accessible to a long list of government agencies who can access that information in administrating public services.
Although centralizing this information could increase efficiency, it also creates a highly vulnerable situation in which one simple breach could result in millions of India’s residents’ data becoming exposed.
In June 2017, twiterrati warned of the dangers of giving database login credentials and e-Aadhaar download capabilities to state officials for this very reason:
.@databaazi warned us about existence of search access to UIDAI data in last year April. Now after 10 months @thetribunechd reports, more than 1 lakh people got illegal access. https://t.co/wJwFvdu5XE
UIDAI’s response: deleting files related to DSDV & SRDH from its website
— Anivar Aravind (@anivar) January 4, 2018
[Editor’s note: 1 lakh = 100,000]
The Annual Report 2015-16 of the Ministry of Electronics and Information Technology speaks of a facility called DBT Seeding Data Viewer (DSDV) that “permits the departments/agencies to view the demographic details of Aadhaar holder.”
According to @databaazi, DSDV logins allowed third parties to access Aadhaar data (without UID holder’s consent) from a white-listed IP address. This meant that anyone with the right IP address could access the system.
Screenshots of DSDV (basic licence), which allows third parties (both public and private) to access Aadhaar data (1/2) pic.twitter.com/0Wi4s1EvVz
— india subsidy data (@databaazi) April 3, 2017
The UIDAI confirmed as much on Twitter:
Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details @thetribunechd @rsprasad @ceo_uidai @timesofindia@firstpost @IndiaToday @ZeeNews @htTweets @TheQuint
— Aadhaar (@UIDAI) January 4, 2018
This design flaw puts personal details of millions of Aadhaar holders at risk of broad exposure, in clear violation of the Aadhaar Act.
#AadhaarLeaks By Government Entities
The Aadhaar Act forbids the public display of Aadhaar numbers. Yet there is irrefutable evidence that both state and central government departments have exposed bank account and Aadhaar numbers of pensioners, minors, scholarship grantees and others.
In October 2017, @iam_anandv pointed out how even a simple Google search for the UIDAI’s tagline reveals hundreds of Aadhaar details.
— Anand V (@iam_anandv) October 19, 2017
In November last year, it was proven that more than 200 government websites were showing Aadhaar details. The UIDAI admitted this, after they were compelled to release this information in response to a Right to Information (RTI) request.
UIDAI CEO Ajay Bhushan Pandey has repeatedly maintained that the exposure of Aadhaar numbers alone poses little risk as “Aadhaar numbers are like bank account numbers.” But this has been proven to leave people vulnerable to phishing, identity fraud, and corporate malfeasance, as seen in December 2017, when telecom giant Airtel opened three million payment accounts for customers without obtaining their informed consent.
In spite of the furor, the leaks continue. The trend has not gone unnoticed among international technology privacy experts. Professor Graham Greenleaf recently identified it as one of the world’s most “dangerous privacy developments”:
World’s most dangerous privacy development? Tough call between India’s Aadhaar and China’s Social Credit System. But India still has its Supreme Court, Constitution and the Puttaswamy Case to provide hope – China has not. @abli @ICDPPCSec https://t.co/2YViL5dKad
— Graham Greenleaf (@grahamgreenleaf) January 9, 2018
While the UIDAI’s actions offer little optimism, the last hope may be with the Supreme Court of India which will hear main Aadhaar petitions for the last time beginning on January 17, 2018.