Aadhaar Data Breach: We Told You So!BloombergQuintOpinion
In 2016 after the news of Yahoo! breach, while writing on the security of the Aadhaar database, we had asked, “So, if Aadhaar is breached, what is the plan for the morning after?” The plan, we were told, was for perfect security, flawless operations and if anything ever happened, penalties that can be imposed under the Aadhaar Act would be sufficient. The chickens, as they say, are coming home to roost.
Recently, the Unique Identification Authority of India, the agency that manages the omnipresent Aadhaar, for the first time, acknowledged data breach of personal details of 7.82 crore Aadhaar holders in Andhra Pradesh and Telangana. On April 12, 2019, UIDAI lodged a First Information Report in Hyderabad against IT Grids (India) Pvt. Ltd., which apparently works for the Telugu Desam Party. It alleged that the said company used stolen voter information along with Aadhaar data of the state governments for voter profiling, targeted campaigning and deletion of votes. UIDAI stated in its complaint, the data may have been obtained from the Central Identities Data Repository or one of the State Resident Data Hubs, which are aligned with the CIDR. Further, it is believed that this was done through an application called ‘Seva Mitra’ developed by IT Grids that contains voter details, photographs and has the ability to feed more relevant information. It also has information about the beneficiaries of various government subsidies. This application, as per the complaint, uses information similar to SRDH and CIDR operations.
Five Reasons Why This Matters
First, until this FIR, UIDAI had stubbornly maintained that the biometric database was fully secure with the highest encryption and all the media reports about several breaches were misreported. During the Aadhaar hearings, Attorney General KK Venugopal had argued with a straight face that the Aadhaar data remains secure behind a complex that has 13-ft high and five feet thick walls. The facepalm emoji was definitely trending that day. Hitherto, UIDAI has not been forthcoming with its data about any breaches and has resorted to aggressive marketing as rebuttals instead of substantive arguments. Even now, its clarification statements obfuscate more than they clarify.
Let’s hope that this FIR is the harbinger of a mature conversation about security and data protection and prompts UIDAI to stringently investigate other instances of Aadhaar data breach.
Second, despite the claims by UIDAI that it is the sole custodian of citizen data collected during the Aadhaar enrollment process, its own complaint belies the statement. The SRDHs that UIDAI has helped to build are a rich source of data that are now leaking like a sieve and not secure, it now claims. Security experts have been crying hoarse for the last few years that consolidation of vast amounts of data makes the SRDHs attractive targets for hackers. However, such concerns have not seen any conversation on the accountability of states or UIDAI or about the security of these databases.
Third, this once again puts the spotlight on the reach of Big Data and its use by governments. Andhra Pradesh, a state that has zealously embraced Aadhaar and added its own bells and whistles to build complete 360-degree profiles of its citizens for better governance has been scooping swaths of data with no oversight or safeguards.
In the absence of a data protection law, states collect data without any informed consent or public education about the usage and implications.
All we see are the claims selling the Big Data revolution as a panacea to address inefficiencies and corruptions in management of state functions.
Also read: Aadhaar: Where Do We Go From Here?
Fourth, one would think that because of the sensitive nature of data and the requirements and penalties imposed by government regulations, security will be top of the mind for the governments. Instead, all we see are an effort to avoid deep, uncomfortable discussions that are necessary to build a safe and secure product. Even at this stage, UIDAI wants us to believe that there aren’t any vulnerabilities that are inherently in-built into the Aadhaar-enabled ecosystem and the problems are the ‘bad people’. It is once again erecting the bogeyman of national security and use of Amazon Web Services as the main culprit.
What matters here is not what public cloud service is being used to store stolen data but the fact that citizens data is insecure and UIDAI has no control over a system it has forced upon the largest democracy in the world.
Fifth, readers may note that although their information has been compromised, they have no recourse to any efficacious remedy, it’s only UIDAI that can pursue the matter. As per Section 47(1), a court can take cognizance of an offense punishable under the Act only on a complaint made by UIDAI or any officer or person authorized by it. This makes UIDAI, which is administering the Aadhaar project, also responsible for providing a grievance redressal mechanism for grievances arising from the project. This severely compromises its independence. So, other than hand -wringing or expressing distress, there is no real remedy that a voter can pursue to protect her data.
After dithering for years, when the Supreme Court of India finally passed the judgment in the Aadhaar case last year, Justice DY Chandrachud in his dissent observed that the architecture of Aadhaar enables surveillance activities through its database. Any leakage in the verification log poses an additional risk of an individual’s biometric data being vulnerable to unauthorised exploitation by third parties and here we are! What is a polite way of saying, “we told you so?”
But this discussion isn’t about UIDAI versus activists or political parties. This is about our freedom, liberty and rights.
What is at stake is individual liberty and the way we have been forced to surrender to imbalance of power that surveillance technologies has brought. Last week, the Supreme Court of Jamaica, following Justice Chandrachud’s dissenting opinion in the Aadhaar case, declared that its National Identification and Registration Act is unconstitutional, null, void and of no legal effect.
Perhaps it’s time for India to give up on this vain project and breakaway from the ‘digital leash’.
Mishi Choudhary is Managing Partner at Mishi Choudhary & Associates LLP.
The views expressed here are those of the author’s and do not necessarily represent the views of BloombergQuint or its editorial team.