A Punjab government entity has published the Aadhaar details of 20,100 citizens on its official website. These details include Aadhaar numbers, user names and their father’s name. The data belongs to people who have applied for low-cost housing in Ludhiana and Jagraon in Punjab.
The website belongs to the Greater Ludhiana Area Development Authority (GLADA). The exposed lists were for applicants of EWS houses, i.e. applicants who are from the economically weaker sections and who had won their allocations in a draw. The draw and the subsequent scheme has been provided for under the Pradhan Mantri Awas Yojana.
While there is no clarity when the lists went up, they were taken down yesterday from the homepage. As per media reports, the lists are available on the GLADA website server, making it easy to obtain for anyone with access to the direct link.
Commenting on the development, GLADA chief administrator Parminder Singh Gill said, “I have spoken to the official concerned who informed me that no Aadhaar card number was uploaded on the website. The GLADA’s website is being operated at the PUDA (Punjab Urban Development Authority) headquarters in Mohali. We are trying to contact the headquarters in this regard.”
According to the official website, the Unique Identification Authority of India (UIDAI) is a statutory authority established under the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act 2016”) on 12 July 2016 by the Government of India, under the Ministry of Electronics and Information Technology (MeitY). It is a 12-digit identity number provided under the UIDAI, is linked to a citizen’s biometric details and has become mandatory for availing government services, such as filing Income Tax Returns, booking train tickets on the IRCTC, opening a bank account and more.
But, due to a perceived lack of the country’s cyber security standards, experts and activists believe that linking of such information to the Aadhaar number can put private and sensitive information at risk for crimes such as identity theft, hacking and more. India’s Supreme Court, too, is currently in the process of determining whether the programme violates an Indian citizen’s right to privacy.
According to Section 29 (4) of the Aadhaar Act, no Aadhaar number or core biometric information can be published, displayed or posted publicly, except for specified purposes. As stated by Satish Thaman, member of the Ludhiana District (west sub-division) grievances redressal committe, “If any government department has published a list of applicants with their Aadhaar numbers, their information can get leaked. It is a grave threat to the privacy of residents as Aadhaar information can be misused.”
Aadhaar Data Leaks: Jharkhand, UIDAI Cite Breaches Just Like Punjab
In recent times, the security of the Aadhaar system has been brought into question several times. In April 2017, the Aadhaar details of 1.4 Mn registered users were made public on the Jharkhand Directorate of Social Security. These details included sensitive information such as names, addresses, bank account details and Aadhaar numbers. What was more surprising was that the government officials could not take corrective action after more than 24 hours when the breach was reported.
Even more recently, Qarth Technologies co-founder Abhinav Srivastava was arrested by Bengaluru’s Central Crime Branch on charges of Aadhaar data theft last week. According to the complaint, Srivastava illegally accessed UIDAI data through an “Aadhaar e-KYC verification” mobile app that he developed himself. Qarth workers were accused of developing an app and accessing details on the official website without authentication and provided the same as e-KYC details. Abhinav is accused of accessing Aadhaar-related information, housed by the NIC server, illegally to the miscreants. He had accessed the data through an e-hospital website.
Preliminary inquiries reveal that Srivastava developed a mobile app that provided “Aadhaar e-KYC verification” by accessing data hosted on the National Informatics Centre (NIC) server.
As per recent reports, Srivastava gave a six-hour step-by-step demo to sleuths of how he managed to hack into the Aadhaar website. In his demonstration, Abhinav Srivastava said that he took advantage of the lack of Hypertext Transfer Protocol Secure (HTTPS) in the URL of the Aadhaar website. Another report claims that Abhinav used shortcuts to access data from various websites that used Aadhaar data.
Saket Modi, founder of Lucideus Technologies, an outfit that has worked closely with the Indian government to ensure the feasibility and safety of the Aadhaar system had stated in an earlier interaction with Inc42, “Aadhaar is an open API system. In fact, I compare it to the iStore or Apple Play Store 10 years back when they were newly launched. They enabled the entire human race with an open platform of resources to be used by developers to make their own applications.” According to Modi, the beauty of Aadhaar is it’s not closed. But, security wise, it is close to one of the top standard security systems.
“Yes, Aadhaar card numbers have been made public but then they are like email ids. Just by having someone’s Aadhaar does not enable you to be able to do any fraud or any transaction,” he adds.
While Modi’sdefencee of the platform seems relatively sound, especially as he has compared Aadhaar numbers themselves to email ids; it is troubling to note that other details linked to the UIDAI, such as bank account numbers, family details etc. can be accessed by those with the means to do so. While the Supreme Court debates on the Aadhaar issue with regard to privacy, it is time for the government both national and affected states such as Punjab and Jharkhand to also examine the flaws in its e-governance systems that allow one point of data so much information and power and yet has such lax security.
(This development was reported by Hindustan Times)