Aadhaar’s Security Questioned Again: Are Indians At Risk Of Identity Theft?
The Unique Identification Authority of India today denied a media report claiming a breach of Aadhaar data. The statement was issued after a report published in The Tribune said a certain group was allowing people to get “unrestricted access to details for any of the Aadhaar numbers in India” in exchange for money.
On Wednesday, The Tribune “purchased” a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than one billion Aadhaar numbers created in India thus far.
In a statement, the UIDAI reiterated that “Aadhaar data, including biometric information, is fully safe and secure.” The Aadhaar-issuing body said it has given the “search facility” for grievance redressal to designated personnel and state government officials to help residents, that too only upon entering their Aadhaar number. Any misuse can be traced and action will be taken, the statement added.
In a conversation with BloombergQuint, the Tribune reporter who authored the article said investigations found that the alleged scam may have begun around six months ago and involves village-level enterprise operators hired by the Ministry of Electronics and Information Technology.
Rachna Khaira, Reporter, The Tribune
Some kind of leakage was there because without asking anyone, without having anyone’s OTP or any cell number, we managed to access data like mobile numbers, parents’ names, addresses and photographs on the website, on the portal uidai.gov.in . Once we called the UIDAI officials at Chandigarh – we wanted to find out whether there was actually some kind of breach – initially they didn’t believe us. But once we informed them about the data which we were able to read from the dashboard of the website, they expressed shock. They said, yes, something’s definitely there and it seems to be a security breach.
UIDAI was earlier claiming that there is no access to any sort of data at all. Now, since we have highlighted one part, what proof do they have that biometric data was not leaked? They are not in touch with the anonymous groups that provide illegal gateways to data access. They don't have any clue whether the biometric data may have been leaked. And they may have secured an illegal gateway to the biometrics as well. So that is a matter of further investigation.
UIDAI has today not claimed that there is no data breach. They have accepted a lapse. Because they have claimed that it is a ‘misuse’ of this facility that has been provided – yhe grievance redressal facility under which they have provided some kind of rights to some designated persons and the state government officials.
Now it is for the UIDAI to identify where is the loophole. We have reported the matter and I'm sure they are going to soon launch an investigation into the matter.
The Tribune also published a fact check of the claims made by the UIDAI.
Here are more reactions on the alleged breach.
Nikhil Pahwa, Founder & Editor, MediaNama
To those that would say the biometrics have not been compromised, I’d like them to remember, that biometrics can be cloned from photographs, and they have been. The fact is that you leave your fingerprints on every surface you touch.
So, biometrics are the easiest thing to compromise in public. All someone needs then is your Aadhaar number, which is also meant to be secret. Even though the UIDAI is denying it, the Aadhaar Act itself treats it as a secret number.
A data protection law is not going to protect people. There are enough people who have done illegal things in the hope that they would not be caught. There are people who have kept doing this with Aadhaar and they are continuing to do it. This is not the first instance of this problem. On one hand the UIDAI keeps denying it, on the other it filed FIRs against people and cancelled licences of enrollment agencies where leaks were happening from. A data protection law will not help address a bad system. The system is built to fail because it is a single centralised database, and Aadhaar is being linked to everything under the sun, because of which many more databases will get created. The problem is that even if the first database does not get compromised, the other ones might. The UIDAI has no control outside of its own Central Identities Data Repository (CIDR). Last year, data leaked from Reliance Jio which was doing e-KYC checks. Now tomorrow, you have thousands of companies that use e-KYC and collect your data, each of them is a potential leak point. So, the design and approach are problematic.
Because the government and many other organisations are making it mandatory in so many places, they are creating more instances of vulnerabilities and problems going forward. This is built to fail.
Saket Modi, Co-Founder, Lucideus Tech & Ethical Hacker
This data is publicly available in so many sources. You have the IT minister of the country flashing the Aadhaar card everywhere. Zoom in there, and you will find his date of birth, his address, his name and Aadhaar card number. That is not really private information, in that sense.
Most people display their father’s and mother’s names on Facebook today because they link their profile. Your picture is already there on Facebook for people to see. Think of it like this, it is not easy to find the Aadhaar card number of any person. It is actually easier to find their phone number.
So what breach are we talking about here? I am not saying it should have happened. Yes, we need to take better steps. But this is public information available to most people.
Pavan Duggal, Cyber Law Expert
There are umpteen number of examples by means of which a person having access to your Aadhaar-related data can create living hell for you.
Once anyone has your Aadhaar number, it's so easy to go onto the Aadhaar website and try to get a duplicate Aadhaar card. And the architecture of Aadhaar has been made in such a manner that the password that they ask from you is the postal code of your area. So if anybody knows which area you are residing in, it’s child’s play to go and get a duplicate Aadhaar. Once you get a duplicate Aadhaar card, all I need to do is to change the photograph with another photograph, take yet another copy and start misusing it left, right and centre.
And the law is so stringent, the law doesn’t even allow you – an Aadhaar user whose Aadhaar has been compromised or misused – to even report the matter to the police. You cannot lodge an FIR in case your Aadhaar is compromised. So, you’re just going to be a mute spectator.
You'll go with folded hands to the Unique Identification Authority of India and expect UIDAI will register an FIR because that’s the only agency that can register an FIR.
Further, please understand that the law is very ruthlessly clear. If it's your digital identity, and it stands compromised, you shall be responsible for the said compromise till such time you report. Now how do you report? What are the mechanisms? In fact various provisions barring the registration of an FIR by a normal person go contra to the provisions of the Constitution of India.
People need to quickly understand that it’s just not a number. It’s a lot of things connected therewith. And very quickly, Aadhaar number need to be given its sanctity. We need to understand the cyber security ramifications. Wikileaks has done a story which says the majority of the Aadhaar database is with American agencies. And we because the UIDAI allowed U.S. companies' Indian subsidiaries complete access for a couple of years. So rather than addressing bigger issues we are right now in the process of adopting an ostrichian approach. We want to close our eyes in the middle of the afternoon and think it's night. It's not! It's a massive problem.
Watch the full conversation here