At a time when the government has been insisting of linking the Aadhar number for every service, the report on the Aadhar data breach raises lot of security concern in the minds of millions of people across the country. It is time UIDAI must address privacy concerns of the citizens of the country and ensure their privacy.
“The Tribune” newspaper revealed that the highly confidential and secured Aadhar information can be “purchased” for as little as Rs.500. The report not only created havoc in the government circle but also created a sense of fear in the minds of millions of people across the country as they were worried about their personal data being out in the open.
The Tribune team paid Rs.500 through Paytm, to gain access to the Aadhar data - all particulars of an individual including name, address, postal code (PIN), photo, phone number and email. According to the report anyone can purchase a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers. The report also revealed that by paying another Rs 300, one could also get the “software” that could facilitate the printing of the Aadhaar card using just the Aadhaar number of any individual.
UIDAI asserted that the Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI. UIDAI stated that there was no data breach and that the biometric data was secure. Moreover, UIDAI argued that how can one draw cash from a bank account merely using the account number. Will not the bank authorities demand the signature of the account holder? Similarly, ‘mere display' of demographic details cannot be misused and one cannot do any harm with just the demographic details.
But, obviously what had happened is a clear case of a major national security breach. Aadhar number which was originally conceived for availing welfare services from the government has now been made mandatory for even using personal services. Under such a scenario, the data breach is a violation of privacy and is extremely worrying.
Only top officials of Unique Identification Authority of India (UIDAI) in the ranks of Director-General and Additional Director-General, have a login access to the official portal. Anyone else having access is illegal and is a major national security breach. But the report has clearly exposed the level of security measures adopted by the UIDAI and the subsequent illegal activities of the agents involved.
Instead of sitting up and addressing the myriad insecurities built into its database, UIDAI behaved in a highly brazen manner and filed a FIR against the Tribune journalist who exposed the Aadhaar data breach. It is a clear case of shooting the messenger. The UIDAI justified its action and released a statement saying that it takes every criminal violation seriously, and “unauthorised access” by the Tribune and its journalist is what invited the criminal proceedings that have been initiated against them. It also said it respects freedom of speech and the media, and that it’s FIR shouldn’t be viewed as “shooting the messenger”.
Subsequently, the Editors Guild of India condemned the move by the UIDAI to file an FIR against Tribune reporter. The Editor’s Guild said it is deeply concerned over filing the FIR against the reporter by the Crime Branch of Delhi Police under IPC sections 419 (punishment for cheating under impersonation), 420 (cheating), 468 (forgery), 471 (using a forged document) and under sections of the IT Act and the Aadhaar Act.
Condemning the act of UIDAI, the Guild said that it is clearly meant to browbeat a journalist whose investigation on the matter was of great public interest. Calling UIDAI’s action unfair and unjustified, it called the FIR “a direct attack on the freedom of the press”. The Guild stated that “instead of penalising the reporter, UIDAI should have ordered a thorough internal investigation into the alleged breach and made its findings public”. It demanded intervention of the concerned ministry to get the cases against the reporter withdrawn, “apart from conducting an impartial investigation into the matter”.
The Press Club of India, Indian Women’s Press Corps and Press Association also expressed “strong objection and condemnation” on UIDAI’s action and questioned UIDAI, “If there is no breach, what is the offence they have supposed to have committed?
The statement called the UIDAI move “intimidatory, obstructionist and inimical to the pursuit of free, fair and independent journalism”. Amnesty International also tweeted against UIDAI’s move, saying that “filing a criminal case against a journalist for exposing weaknesses in a massive government programme is an outrageous attack on freedom of expression”.
Data Breach and Misuse
What is a data breach? Though a data 'breach' is not defined under the Indian Information Technology Act, 2000 or the Aadhaar Act, 2016, gaining unauthorised access is a clear data breach. Normally, a technical breach like hacking the security systems is construed as a data breach. But, a violation of privacy details of millions is also considered very much a data breach. Though, UIDAI claims the Biometric data remains highly secured, the disclosure of demographic data, such as an individual's name, date of birth, address, PIN, photo, phone number, e-mail, etc, is not any less of a privacy concern.
UIDAI clarified that displayed demographic information cannot be misused, it would need to be paired with an individual’s biometrics. But with the demographic details along with the Aadhar number, the cyber criminals can get SIM cards or can find out which bank it is linked to.
Let’s imagine the criminals get to know your Aadhaar details with that they can have the mobile number. Then they can pose as an executive of that bank and by quoting the Aadhaar number will win over the confidence of the gullible person to part the OTP sent to the mobile number. With the OTP, they can complete whatever transaction they set out to do. Worst, with the details one can even print someone’s Aadhaar card and misuse.
Moreover, the demographics data forms the basis of many cybercrimes, be it phishing or identity theft. There are more than 1.19 billion Aadhaar card holders in the country. It is extremely dangerous, therefore, to underestimate the value of the data disclosed in this breach, simply because it did not include biometric data.
Investigations on the data breach reveal that some Village-Level Enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India were involved. Over 3 lakh VLEs have access to UIDAI data.
The CSCS operators were initially entrusted with the task of making Aadhaar cards across India. But the government withdrew their services in June 2017 following reports of illegalities and the post offices and designated banks were pressed in to the service to avoid any security breach in November last year.
There is lot of suspicion now on the VLEs. With an eye on making a quick buck, more than one lakh VLEs are now suspected to have gained the illegal access to UIDAI data to provide “Aadhaar services” to common people for a charge, including the printing of Aadhaar cards.
Additional security layer
A common argument made in support of the Aadhaar system is that when any new system is launched, there will be drawbacks, which need to be fixed. Considering the size of our country and the massive nationwide database of UIDAI, some glitches are bound to happen. But, at the same time considering the sensitive nature of the data that involves the privacy of the citizens, UIDAI must have addressed the security issue more seriously. Asserting the technical security of the CIDR and biometric data is not enough. More importantly, people need to believe that their data is secure, so is their privacy.
Following the outcry over Aadhar data breach, finally UIDAI has unveiled an additional layer of protection to safe guard the privacy details of the people. An additional layer of security in the form of ‘Virtual ID’ has been included in the system to address privacy and security concerns.
The Virtual ID, to be issued from March,2018, will allow over 119 crore Aadhaar holders to generate a 16-digit temporary number that used for need-based sharing of information such as a bank, insurance company or telecom service provider instead of the original 12-digit Aadhaar number.
According to UIDAI, an individual has to login to UIDAI website and provide his/her Aadhar number. Then the website will generate a 16 digit temporary “Virtual ID” and the individual can use that number according to his needs with the service providers. UIDAI has declared that it will not be possible to locate an individual’s Aadhaar number by using the Virtual ID.
UIDAI has directed all the service providers to upgrade their systems to mandatorily allow for the new tool from June,2018. The UIDAI said that with the additional 16 digit number, it will not be possible to locate an individual's Adhere number by using the Virtual ID. Also, the additional safety feature introduced relates to limited sharing of information, again aimed at preventing possible misuse and data theft. Instead of the current system where the five details — name, date of birth, photo, address and mobile number — are shared with the service provider at the time of authentication, the new feature will allow only need based sharing of data.