Aadhaar Details Published On Over 200 Government Websites, Confirms UIDAI

After a Punjab government entity published the Aadhaar information of 20,100 citizens on its official website in August this year, the Unified Identification Authority of India (UIDAI) has reported another breach. This time around, more than 200 central and state government websites have made private Aadhaar details such as names and addresses public. As per reports, the Aadhaar issuing body confirmed the breach, without actually disclosing when it took place. The details have since been removed from the websites, a UIDAI official claimed.

Highlighting that the UIDAI itself has never publicly displayed Aadhaar details, the official said, “However, it was found that approximately 210 websites of central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public.”

In response to an RTI query, the UIDAI further stated, “UIDAI has a well-designed, multi-layer approach robust security system in place and the same is being constantly upgraded to maintain the highest level of data security and integrity.”

At a time when the central government is doubling down to make Aadhaar mandatory for bank accounts, phone connections, insurance policies and even LPG connections, these breaches bring up the question of just how secure a citizen’s personal information is.

Dismissing such concerns, the UIDAI added, “Various policies and procedures have been defined, these are reviewed and updated continually thereby appropriately controlling and monitoring any movement of people, material, and data in and out of UIDAI premises, particularly the data centres.”

In its response, the authority said that it conducts regular security audits, with the aim of bolstering the system’s security and privacy of data.

The Ongoing Debate On Aadhaar And Violation Of The Right To Privacy

According to the official website, the Unique Identification Authority of India (UIDAI) is a statutory authority established under the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act 2016”) on 12 July 2016 by the Government of India, under the Ministry of Electronics and Information Technology (MeitY).

It is a 12-digit identity number provided under the UIDAI, is linked to a citizen’s biometric details and has become mandatory for availing government services, such as filing Income Tax Returns, booking train tickets on the IRCTC, opening a bank account and more.

But, due to a perceived lack of the country’s cybersecurity standards, experts and activists believe that linking of such information to the Aadhaar number can put private and sensitive information at risk for crimes such as identity theft, hacking and more. The Indian Supreme Court recently passed a unanimous verdict in favour of Right to Privacy, calling it a fundamental human right. Post this judgment, a five-judge bench of the apex court was appointed to test the validity of Aadhaar from the aspect of privacy as a fundamental right.

A month later, Kalyani Menon Sen, a feminist scholar and activist on issues relating to women’s rights, challenged the constitutional validity of the RBI’s decision to make linkage of bank accounts with Aadhaar mandatory on grounds of violation of the right to privacy. The petition by Sen also challenged the validity of the March 23 circular issued by the Department of Telecommunication making it mandatory for citizens to link their mobile phones with Aadhaar.

DoT later clarified that telecom companies would not be acting against unverified subscribers until the Supreme Court has decided on the issue of linking mobile phone numbers with Aadhaar.

A Look At Recent Aadhaar Breaches

In recent times, the security of the Aadhaar system has been brought into question several times. In April 2017, the Aadhaar details of 1.4 Mn registered users were made public on the Jharkhand Directorate of Social Security. These details included sensitive information such as names, addresses, bank account details and Aadhaar numbers.

Later in August, Qarth Technologies co-founder Abhinav Srivastava was arrested by Bengaluru’s Central Crime Branch on charges of data theft. According to the complaint, Srivastava illegally accessed UIDAI data through an “Aadhaar e-KYC verification” mobile app that he developed himself. Qarth workers were accused of developing an app and accessing details on the official website without authentication.

During his interrogation, Srivastava gave a six-hour step-by-step demo to sleuths of how he managed to hack into the Aadhaar website. In his demonstration, Srivastava said that he took advantage of the lack of Hypertext Transfer Protocol Secure (HTTPS) in the URL of the Aadhaar website. Another report claimed that Abhinav used shortcuts to access data from various websites that used Aadhaar data.

Around the same time, WikiLeaks published a report claiming that the Central Intelligence Agency (CIA) in its cyber spying efforts had compromised Aadhaar data. The report alleged that the CIA was using tools devised by US-based technology provider Cross Match Technologies for cyber spying.

Saket Modi, founder of Lucideus Technologies, an outfit that has worked closely with the Indian government to ensure the feasibility and safety of the Aadhaar system had stated in an earlier interaction with Inc42, “Aadhaar is an open API system. Yes, Aadhaar card numbers have been made public but then they are like email ids. Just by having someone’s Aadhaar does not enable you to be able to do any fraud or any transaction.”

We have all heard of the adage, “With great power comes great responsibility.” This is especially pertinent in today’s world, where a click of a button can very well change the course of someone’s life. Given that more than 2.5 quintillion bytes of data are consumed every day in the form of emails, videos, images, tweets, and content, the risk of privacy breaches has understandably increased at an alarming rate.

It is troubling to note that other details linked to the UIDAI, such as bank account numbers, family details etc. could also accessed by those with the means and intentions to do so. Although Modi’s explanation does offer some relief, the repeated breach of the Aadhaar system has understandably brought to the surface even bigger concerns.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.