Clearing the air on Aadhaar data breach
Rachna Khaira, a journalist for The Tribune, recently reported a database breach of Aadhaar. The Unique Identification Authority of India (UIDAI) denied that it is a breach (wrongly, we believe). However, the extent, nature, and implications of this event have been widely misunderstood.
Khaira’s report details a transaction in which she was able to get a login and password to access a UIDAI portal. With this access, one can enter a person’s Aadhaar number and obtain their name, photo, sex, age, address, and potentially their contact details. One cannot, however, get access to sensitive biometric data of the person (even though UIDAI possesses this too).
Was this a data breach?
UIDAI in its response was quick to state that this is not a data breach. They define the incident as “unauthorized access”. However, this seems to be a technicality. That such access can lead to a breach is self-evident.
Further, in the first information report (FIR) that UIDAI filed, Khaira and others are charged under Section 37 of the Aadhaar Act. According to it, if one “intentionally discloses, transmits, copies or otherwise disseminates” Aadhaar data, they can face imprisonment. It is incongruent for UIDAI to say it is not a data breach and simultaneously file an FIR charging the journalist for a data breach.
In addition, the report mentioned that many individuals have already accessed Aadhaar data using this portal. The UIDAI has not explicitly denied this. If true, this also confirms that this was a data breach.
Is the Aadhaar data breach a big deal?
There are two reasons why it is not as big a deal as it is made out to be.
One, because you need an individual’s Aadhaar number to get access, you cannot automatically download a billion people’s data, as the report has suggested. Guessing numbers won’t be much help either. If you entered random 12-digit numbers into the portal, you will only get a genuine Aadhaar number less than one in 800 times. You also cannot run a computer program to repeatedly query the portal as UIDAI uses a “Captcha” to prevent this.
Two, most of the data in question can be accessed through other mechanisms as well. Name and other demographic data can be accessed through online voter rolls published by the Election Commission. With programming skills, this data can be downloaded en masse (unlike the UIDAI portal in question).
In addition, multiple government and private agencies display personal information online with a few clicks. Data peddlers often sell these in the open market in searchable formats. In many cases, the data available on these platforms is more sensitive than what one can get through the UIDAI portal.
Naturally, two wrongs do not make a right. However, basic demographic information—like name, address, etc.—are routinely kept in the public domain intentionally. In fact, some of the publicly available data is an outcome of the Right to Information movement for greater transparency. In the case of voter rolls, publicly accessible voter information aids in conducting fair and efficient elections.
The trade-off between privacy and the benefits of keeping some data public needs more debate, especially in light of the recent privacy judgement. However, singling out only UIDAI for breaches while ignoring other institutions that openly publish similar information is untenable.
Could UIDAI have prevented this data breach?
UIDAI in its statement mentioned that all searches on the portal are logged and tracked. But this security measure did not work. UIDAI did not take any action of the previous instances of misuse, as reported in Khaira’s article.
We support having a UIDAI portal that facilitates efficient and localized grievance redressal. Based on our fieldwork, there is a clear demand for this. But it was straightforward to keep this portal secure. For example, a simple feature requiring officials to authenticate themselves using a one-time-password could have prevented this breach.
Should UIDAI have filed an FIR?
UIDAI has claimed that it respects the freedom of the press but that it was obligated by law to file an FIR under the Aadhaar and IT Acts. If this is indeed true, why have they not filed an FIR against the four Jharkhand government departments that published 130 million Aadhaar numbers online? Why have they not filed an FIR against Airtel for using Aadhaar data illegally to open bank accounts without consent? UIDAI could have gone after the culprits selling access to the portal, but going after the press is indefensible.
UIDAI needs to actively reduce the trust deficit that has emerged. Filing FIRs, issuing blanket denials each time a problem is reported, and labelling its detractors do not help its cause. UIDAI is the gatekeeper of sensitive biometric and basic personal information of more than a billion Indians. We expect UIDAI to openly engage with stakeholders, and be transparent about data security. UIDAI is duty-bound to win our trust rather than simply demanding it.
Ronald Abraham and Akash Pattanayak are, respectively, a partner and associate at IDinsight. Both work on IDinsight’s State of Aadhaar initiative.