Are your details safe?

Are your details safe?
The Unique Identification Authority of India (UIDAI) has denied news reports that access to private Aadhaar data was being provided for Rs 500. Even if the reports prove to..

The Unique Identification Authority of India (UIDAI) has denied news reports that access to private Aadhaar data was being provided for Rs 500.

Even if the reports prove to be untrue, does this point towards a serious vulnerability in the Aadhaar system?

Background

Aadhaar, which means 'foundation' is a 12 digit unique-identity number issued to all Indian residents based on their biometric and demographic data. The data is collected by the Unique Identification Authority of India (UIDAI). The Central Government contended before the Supreme Court on May 3rd, 2017 that it is mandatory for the citizens to have a unique identification number and hence a person cannot refuse to provide their samples of fingerprints and iris.

The idea of Aadhaar card was introduced by Nandan Nilekani on 26th November of 2012. The vision behind it was to empower residents of India with a unique identity and a digital platform to facilitate authentication.

On June 2017, the Supreme Court passed an order on compulsory linking of an individual’s income tax PAN and Aadhaar numbers. The central government has stood firm on giving welfare benefits only for those with Aadhaar after 30 June. The government claims that by linking the Aadhaar with PAN, authorities will be able to crack down on people who are escaping the tax net. By 31st March 2018, all Indians must link their Aadhaar cards to their bank accounts and mobile numbers.

Analysis

The Unique Identification Authority of India (UIDAI) has denied news reports that access to private Aadhaar data was being provided for Rs 500. Even if the reports prove to be untrue, does this point towards a serious vulnerability in the Aadhaar system?

Recently, a report by the newspaper The Tribune claimed that the organization was able to get access to Aadhaar details after paying a WhatsApp group an amount of Rs 500. The report was titled, ‘Rs 500, 10 minutes, and you have access to a billion Aadhaar details’. Particulars such as name, address, postal code, photo, phone number and email were accessed and the Aadhaar card printed, the report alleged.

In response, UIDAI Tweeted, “"Tribune's Story "Rs 500, 10 minutes, and you have access to billion Aadhaar details" is a case of misreporting. No biometric data breach.” It further added that it maintains complete logs and traceability of the facility, and any misuse is traceable. "Legal action taken, including FIR against persons involved. Search facility gives limited access to name & other details, has no access to biometric details," it said.

According to the body, this was a result of a misuse in the grievance redressal search facility. It has followed through on its claims by filing an FIR for unauthorized access to Aadhaar data. Much of the problem can be traced to anonymous WhatsApp groups that were formed with the intention of targeting close to 3 lakh village-level enterprises (VLE). These VLEs had been hired under the Common Service Centres Scheme (CSCS) and were also provided unrestricted access to Aadhaar details. In the beginning, CSCS was in-charge of making the Aadhaar cards in the first place but the job was revoked in a bid to reduce the possibility of security breaches. Reports now suggest that at least one lakh VLEs may have gained illegal access to the Aadhaar card details as a result in order to provide these sensitive details for specified fee.

"Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach," said Sanjay Jindal, Additional Director-General, UIDAI Regional Centre.

This isn’t the first time private details of individuals have been made public. Back in November 2017, it was found that government websites were making Aadhaar information, public. Among those affected was Mahendra Singh Dhoni, the former Captain of the Indian cricket team.

The Supreme Court is currently hearing cases that claim that the government may be infringing on the citizen’s right to privacy by linking public and private services to the Aadhaar card.

Assessment

Our assessment is that as we have pointed before, concerns remain regarding whether the Aadhaar infringes on both on individual’s privacy and also on data security. There are also fears that a large-scale breach could result in the theft of data belonging to over a billion people in India. A breach could leave hundreds of millions of Indians vulnerable to a number of threats including identity theft. We feel that the Supreme Court’s decision on the mandatory linking of public and private services will significantly impact the narrative on the security concerns of Aadhaar. It will be quite disastrous if the vulnerability extends to Aadhaar accounts that are already linked to individual’s bank accounts.  

Comments