May 3rd, 2017
Since its inception in 2009, the Aadhaar project has been surrounded with controversies, with many questioning its privacy standards.
Roughly a year ago, Aadhaar became the world’s largest online digital identity platform. With its coverage extending to over 93% of Indian adults, it has become an extremely powerful platform containing very crucial and sensitive personal, biometric data of millions of Indian citizens.
The Centre for Internet and Society (CIS), India, published a report on Monday titled Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information.
The report had studied four government databases – the first two belonging to the rural development ministry – the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act’s (NREGA) portal, and the other two databases deal with Andhra Pradesh’s own NREGA portal and the online dashboard of a government scheme called “Chandranna Bima”.
“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at,” said the report authors Amber Sinha and Srinivas Kodali.
They further continue, “Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT, and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number.”
1. National Social Assistance Programme (NSAP)
NSAP is a welfare program administered by the Ministry of Rural Development. It is intended to provide public assistance to its citizens in case of unemployment, old age, sickness and disablement.
CIS studied its dashboard for digitized data. Among the attributes listed in the databases of pensioners available, the following are Personally Identifiable Information (PII): Job card number, Bank Account Number, Name, Aadhaar Number, account frozen status.
“While the details were masked for public view, someone with login access could get the details…control access to login based pages were allowed providing unmasked details without the need for a password,” said the CIS report.
The website also has a data download option available which allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state.
The NSAP portal lists 94,32,605 banks accounts linked with Aadhaar Numbers, and 14,98,919 post office accounts linked with Aadhaar Numbers.
2. National Rural Employment Guarantee Scheme (NREGA)
The NREGA scheme seeks to provide livelihood security of households in rural areas of India by providing at least 100 days of guaranteed wage employment in a financial year. This project extends to 683 districts in the country with over 25,46,00,000 workers.
On exploring MIS reports on its website, CIS was directed to Direct Benefits Transfer Reports. Further study found that the final pages in this link for each Panchayat had a list of very sensitive PII, namely Job card No., Aadhaar Number, Bank/Postal Account Number, no. of days worked, Registration Number, account frozen status.
The total number of Aadhaar numbers stored by portal are at 10,96,41,502.
3. Chandranna Bima Scheme, Govt. of Andhra Pradesh
This is a scheme to provide relief to the families of unorganized workers in case of death or disability of the unorganised worker.
Study of its database revealed PII which include the following: Aadhaar Numbers, Name, Father’s/Husband’s Name, age, caste, mobile number, gender, partially masked bank account number, IFSC Code, Bank Name and details of the nominee.
“Even though the details were masked while rendering, we found MS Access databases of all the data being published by the portal negating the masking process,” said the authors of the report.
This database has 2,05,65,453 workers registered under the Aam Admi Bima Yojana.
4. Daily Online Payment Reports of NREGA, Govt. of Andhra Pradesh
Along with the national portal maintained by Ministry of Rural Development, the Government of Andhra Pradesh maintains its own portal to track progress of NREGA work and payments made under it.
Exploring the Direct Benefit Transfer (DBT) section of this portal gave CIS information for each Panchayat which a list of very sensitive PII, namely Job card No., Aadhaar Number, Bank/Postal Account Number, Whether it is seeded with mobile number, no. of days worked, registration Number, date on which e-pay order number is created, date, date on which e-pay order number is sent to paying agency, date of which credit to worker’s account, time and date for disbursement, pay order amount, mode of payment.
As of 28th April, the portal gave out details about 11,299,803 Aadhaar numbers and 76,63,596 bank account numbers seeded under PMJDY.
Since 26 April 2017, the Supreme Court has been hearing cases against linking Aadhaar to PAN and making it mandatory for filing Income Tax (IT) returns.
The lawyers representing the petitioners have been pointing out the privacy issues with Aadhaar – data leaks of millions of citizens, and the violation of an individual’s right over their body.
However, the government in its defense said, “the State is like a corporation and the citizens are its members. To avail benefits from the State, we need to comply with the rules and regulations made by it.”
The Unique Identification Authority of India (UIDAI) site on 28 April justified past leaks by saying, “The man in-charge of Aadhaar vouches for its safety but there is no stopping the leaks.”
The government’s inaction to safeguard crucial information and push to make Aadhaar mandatory shows a blatant disregard toward the security and privacy of the citizens.
The Logical Indian urges the government to ensure that such leaks are avoided in the future to safeguard Indian citizens against misuse of vital personal information.
Read the full CIS report here.