119,22,59,062 Aadhaar Numbers, 119,22,59,062 People's Privacy At Stake

On January 3, an article published in The Tribune claimed that the media house gained unrestricted access to details of any of the more than one billion Aadhaar numbers created so far. It took The Tribune just Rs 500 and 10 minutes to purchase a username and a password from an ‘agent’ on Whatsapp, which could then be used to gain personal information of practically anyone by simply entering their unique 12-digit identification number.

After this report was published, the UIDAI called it ‘misreporting’ and assured (as it has several times in the past) that Aadhaar details are completely safe. When The Tribune responded by pointing out loopholes in the UIDAI’s claims, the government body Tweeted a reply saying, ‘some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details.’ Basically, the UIDAI accepted the breach by not accepting the breach, and claimed that only our demographic information was misused, while our biometrics are safe. But, what UIDAI forgot to mention is that we choose the people we want to share our demographic details with. We do not go around telling everyone, ‘Hi, my name is X. My parents’ names are A and B. I was born in so and so year, my email address is [email protected], my mobile number is 0123456789 and I live at house number 03, pqrst street.’

The BJP was quick to term The Tribune’s article ‘fake news’. Hours after the report, The Quint found that random people with no official credentials can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). Not only this, but once you become an admin, you can make anyone you choose an admin. Anyone means literally anyone – even a foreign national, and that too for no charge. The personal information of 119,22,59,062 Indians is up for sale for free.

More often than not, it is the Aadhaar enrolment agents who can be traced back to such breaches. UIDAI had received repeated complaints of enrolment agencies registering fake data but took no action.

BuzzFeed News also did its own research and discovered that the man who provided The Tribune access to Aadhaar database, had paid Rs 6,000 to an anonymous person in a Whatsapp group he was a part of to get a username and password for himself. He claimed to be unaware that he was compromising people’s privacy and said that he was selling usernames and passwords for Rs 500 to get back the Rs 6,000 he had spent.

As Meghnad Bose pointed out in this article, even relatively unimportant systems have access control via a 2 or 3-stage process that includes OTPs, biometric checks, etc. With the advancement of technology, even our phones do not unlock without our fingerprints, or sometimes, a retina scan. You cannot order food on Swiggy or hail an Uber cab if you don’t first register for the applications using an OTP.

Why is gaining access to Aadhaar database a child’s play?

Isn’t the government concerned that its citizens’ information might be misused by unauthorised agents? It used to, when the UPA government was in power.

On Aadhaar, neither the Team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick

— Narendra Modi (@narendramodi) April 8, 2014

Now, the same concerns are reiterated by the Congress.

‘AADHAR’ data breached yet again!

As every citizen’s personal information is exposed to hackers everyday & ‘Right to Privacy’ is mocked and flouted with impunity, Modi Govt remains immune.

Is anyone listening?https://t.co/UDSfOlSWv9

— Randeep Singh Surjewala (@rssurjewala) January 4, 2018

The number of Aadhaar breaches in the past, cases of duplicate Aadhaar cards, entire villages having the same Aadhaar number, more number of unique identification numbers issued than a state’s population (for eg, New Delhi has 17.7 million population but 19.2 million Aadhaar cards have been issued to the capital), etc are not unknown to us. We’re are so tired of hearing the concerns with Aadhaar that its benefits are blurred. Whatever be the case, privacy is not an area where the government or citizens can compromise (however ingenious or advantageous an idea maybe).

Why should we care?

In this article, we will not delve into the manifold issues with Aadhaar (for instance, the government’s failure to make ration and social welfare readily available to the poor) but only talk about its privacy concerns and how they affect each and every one of us.

With India not having a data protection law at a time when data is the new oil, Aadhaar raises even more eyebrows.

It is already established that getting access to Aadhaar database is easy-peasy. One might think that this breach was by unscrupulous agents but the Aadhaar Act permits the government itself to sell your information, except for your core biometric data, to a “requesting agency” (any agency or person who is willing to pay the fees).

For those sighing with relief thinking that only their demographic information is at stake – your bodily information is not secure either. There have been past cases of hacking the biometric security settings of UIDAI.

Also, our biometrics are not unique. Meaning, they might change with age or certain disabilities. The Aadhaar Act itself states that citizens are mandated to inform the Authority of such changes, overthrowing UIDAI’s claims that Aadhaar enrolment is a ‘one-time’ affair. Even more atrocious is the Act disallowing an individual access to her own biometrics. You can never know if your bodily information is correctly recorded, leaving room for the possibility of copying or replacing your identity with someone else’s. This was found in the breach by Axis Bank Ltd, Mumbai-based Suvidhaa Infoserve, and Bengaluru-based eMudhra, where multiple transactions were done with the same fingerprint.

But unreliability of biometrics and repeated breaches of confidentiality are only the tip of the iceberg.

Aadhaar might kill the very essence of democracy

Did you know state surveillance of citizens’ private communications is authorised by legislative enactments such as the Indian Telegraph Act and the Information Technology Act?

Aadhaar only acts as a catalyst for mass surveillance under the blanket of ‘national security’.

Surveillance in the 21st century is not limited to wiretapping phones; Aadhaar is capable of more, much more than even giants like Facebook or Google.

Have you ever noticed when you walk and look up at the moon, it is always staring down at you? Even when you start running, the moon matches your pace, always hovering over your head. Aadhaar is like the moon. Only, it is actually following you and this is no visual gimmick. This is called ‘life-tapping’. It means that Aadhaar gives the government the ability to collect and store massive amounts of information on our locations, movements, activities, thoughts and wishes. Basically, the government has mapped the habits of the entire population.

The most common citizen argument against mass surveillance is – ‘if I am not doing anything wrong why should I care if the government is watching my every move?’ Well, for the same reason you have a password on your phone and Gmail account or curtains on your windows.

The next phase of life-tapping is ‘data-mining’ – meaning, when our habits are recognised, our desires can be predicted. Corporations use this in advertising, while governments use this to eliminate political disagreements thus, killing the very essence of democracy. A government thrives on the opinion of the majority, and what could be better than knowing voters’ behavioural pattern and swaying them into echo-chambers? This is the power of data.

The deadline to link Aadhaar with all schemes has been extended to March 31, 2018. Sounds goods as it gives us more time to (not) get an Aadhaar card and (not) link it with everything.

No. Not really.

The catch is that it is still mandatory to provide Aadhaar application reference numbers when we open new bank accounts. And application numbers are not allotted without going through the Aadhaar enrolment process, i.e., by submitting all your biometric data and demographic information.

In conclusion, the debate on Aadhaar is still greatly against us and while hoping that the Supreme Court comes up with a favourable decision, we should speak out more. We need to start a discourse on Aadhaar’s privacy concerns, educating and spreading awareness anywhere and everywhere thus, urging the top court to take a decision that benefits us.