UIDAI denies security breach

The Unique Identification Authority of India, which manages the country’s Aadhaar system, has dismissed claims of data vulnerability made by the news website ZDNet. The Aadhaar ID system contains the personal information of over 1.1 billion Indian citizens.

Background

Aadhaar is a form of identification in India that ascribes a unique 12 digit identity number to all residents based on biometric and demographic data. Aadhaar was introduced by Nandan Nilekani in November 2012. The vision behind it was to provide residents of India with a unique identity and a digital platform to facilitate authentication.

The UIDAI (Unique Identification Authority of India) is a semi-governmental body responsible for the collection and authentication of this data. It is responsible for “all stages of Aadhaar life cycle”, including policy, operation and management, and data safety. It was established under the Aadhaar Act, 2016. The statutory authority was previously an attached office under the Planning Commission. It now falls under the Ministry of Electronics and Information Technology.

According to the UIDAI, over 111 crore (1.1 billion) unique Aadhaar numbers have been issued since the program was launched. However, since its conception, the ID system has been highly contentious. The state has ordered citizens to link Aadhaar to other services such as bank accounts and mobile numbers; this order is currently being refuted in the Supreme Court. By the end of this month, it may be mandatory to provide Aadhaar verification to receive government services.

Academics and civil society groups alike have petitioned the Supreme Court to prevent this. These groups argue that Aadhaar infringes on the right to privacy and leads the way for a surveillance state. The ID system also hinders access to welfare schemes. Additionally, a number of data leaks releasing personal details have been a cause for concern. India does not have any formal systems of data protection.

In August 2017, the Indian Supreme court ruled that the right to privacy is “intrinsic to life and liberty”, confirming that right to privacy is a fundamental right protected by the Constitution.  In light of this ruling, a five-judge Constitution bench of the Supreme Court began hearing petitions against Aadhaar in December 2017.

Analysis

On March 23^rd, the tech news website ZDNet (owned by CBS Interactive) reported an Aadhaar data leak, which it claimed could affect “potentially every Indian citizen” registered for the ID.

According to ZDNet, New Delhi based researcher Karan Saini claimed that a data leak by “a state owned utility company” has created a large vulnerability in the system. The company Indane, which has access to the database, does not have a secured API (Application Programming Interface). Due to this security failure, Sanai claimed that “it would be possible to enumerate Aadhaar numbers by cycling through combinations”. As a result of this, a person’s full name, consumer number, and list of connected bank accounts could be revealed.

The website claimed that they had attempted to contact state officials about this information, however no action was taken. “We spent weeks reaching out to the Indian authorities, specifically UIDAI, to responsibly disclose the security issue, and we heard nothing back — and no action was taken until after we published our story,” Editor in Chief Larry Dignan told Reuters.

UIDAI has refuted all reports of vulnerabilities in the system or a security breach.  “There is no truth in this story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the organisation wrote on Twitter on Saturday. “Even if the claim purported in the story were taken as true, it would raise security concerns on database of that Utility Company and has nothing to do with security of UIDAI’s Aadhaar database.”

The UIDAI noted that the Aadhaar “though a personal sensitive information, is not a secret number,” and the internet database cannot be used to access biodata or conduct financial fraud. The organisation warned against misleading, “false and irresponsible stories” written by people with “vested interests.”

There have been a number of reports of Aadhaar data leaks in recent years. In November 2017, it was found that government websites were making Aadhaar information public. Among those affected was Mahendra Singh Dhoni, the former Captain of the Indian cricket team.

In January this year, the Tribune claimed that the organization was able to get access to Aadhaar details after paying a WhatsApp group an amount of Rs 500. Particulars such as name, address, postal code, photo, phone number and email were accessed and the Aadhaar card printed, the report alleged. The UIDAI claimed that the Tribune had misreported the issue. It took legal action against the people involved.

Assessment

Our assessment is that there continue to be a number of privacy and data security concerns linked to Aadhaar. As we have stated before, we believe that a large-scale security breach could leave millions of Indians vulnerable to numerous threats including identity theft. Aadhaar is linked to a number of public and private services; third-party access to information leaves data vulnerable. As the body responsible for Aadhaar data safety, the UIDAI must ensure that these security concerns are addressed.