In the last couple of years, any news involving Aadhaar and Unique Identification Authority of India (UIDAI) has garnered more eyeballs than accolades
Today, Tribune carried a story showing how easy it was to get someone to hack into the Aadhaar database by paying only INR500 to instantly get personal details of any individual, submitted to the Unique Identification Authority of India (UIDAI), including name, address, postal code (PIN), photo, phone number and email. The UIDAI later denied the claim in a statement.
Today's news was, by no account, a first of such reports.
In Feb 2017, UIDAI filed a police complained against Axis Bank Ltd, business correspondent Suvidhaa Infoserve, and e-sign provider eMudhra after it detected a breach of biometric data, alleging impersonation using illegally stored biometric information.
This wasn’t a stray incident because in April 2017, the personal details of over one million Aadhaar subscribers were leaked on a website run by the Jharkhand Directorate of Social Security. This data comprising personal details, such as name and bank account numbers, belonged to over 1.6 million senior citizens.
A few months later in July 2017, the UIDAI lodged a complaint against an IIT-Kharagpur graduate and his mobile-payment company, Qarth Technologies, for allegedly accessing Aadhaar data to create and operate a private app called Aadhaar ‘eKYC Verification’. In the same month, over 120 million Reliance Jio customers' data was leaked. A website gained access to details such as first name, last name, mobile number, email-id, circle, SIM Activation Date, even Aadhaar Number and published it online.
A total of around ten such breaches have occurred so far.
In November 2017, UIDAI issued a statement saying that it has found approximately 210 websites of central government, state government departments including educational institutes, which were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public. In fact, the UIDAI issued a statement saying that “the said data on these websites was placed in public domain as a measure of proactive disclosure under RTI Act by these government and institutional websites.” In short, UIDAI said that the Aadhaar database was fully secure and calling this “display of data” on the government websites a “breach” was a misrepresentation of facts.
Denying The Tribune’s claims, the UIDAI said in its statement that "we maintain complete log and traceability of the facility and any misuse can be traced and appropriate action can be taken.”
UIDAI also said that the legal action including the filing of an FIR against the person involved has also been taken. Defending the system, UIDAI also said that the Aadhaar system is fully safe and secure and has robust uncompromised security.
In retrospect, if 112,01,12,468 Aadhaar cards have already been issued by UIDAI so far, a lot is at stake when it comes to privacy of an Indian citizen. And I haven't even addressed the concern around what happens if biometric data gets breached. The Aadhaar Act lacks any provision that involves sending a mandatory notice to an individual in case of a breach of his/her information. Additionally, a lot will also depend on how the right to privacy law is formulated - which will give Indian citizens the power to probe security breaches in the near future.
After going through The State of the Aadhaar Report published in May 2017, most Indian states have enrolled more than 80% of their residents - so much so that the Aadhaar’s scale has caught the attention of policymakers globally. In all fairness, it addresses its security flaws that highlight the risks of Aadhaar’s technological architecture, including gaps in data quality and security of the biometric database. It also states that data security breaches, especially of sensitive biometric information, can lead to misuse of identity and violate the terms upon which Aadhaar holders provided data. It suggests that the research on Aadhaar’s architecture would be valuable for policymakers at the UIDAI, as well as users of Aadhaar-based services, such as authentication and e-KYC. It recommends conducting technological and operational research focused on strengthening Aadhaar’s systems and processes to a) improve Aadhaar’s coverage and prevent inadvertent exclusion, b) strengthen Aadhaar authentication, and c) augment the accuracy and security of the Aadhaar database.