Tuesday, 25 April, was plagued with two major instances of private Aadhaar information being made public on government websites.
- Aadhaar numbers of beneficiaries of the Pradhan Mantri Awas Yojana were available on its website;
- The Department of Social Justice Justice and Empowerment of the Gujarat government had at least two documents with names, addresses, and Aadhaar numbers of hundreds, if not thousands, of students.
In both instances, Aadhaar numbers were mentioned along with names, addresses, mobile phone numbers, parents’ names, bank account details. Even photographs in some cases were made public and searchable.
— surinderxx (@surinderxx) April 23, 2017
The above two instances followed three similar cases of data mismanagement in only the last three days. The information of the following beneficiaries was displayed on the respective department websites:
- Public Distribution System (PDS) beneficiaries in Chandigarh,
- Provident Fund beneficiaries of Swachh Bharat Mission under the Water and Sanitation Ministry,
- Details of over a million pensioners by the Jharkhand government.
— Road Scholarz (@roadscholarz) April 24, 2017
Aadhaar leaks: an accelerating concern
In the month of April, there have been at least 10 major Aadhaar data leaks – that is, 10 reported leaks.
MediaNama documented how these leaks are is a systemic problem. Furthermore, with Aadhaar being made mandatory for a variety of government programmes and subsidies, the data collection, storage, and leaks are likely to only increase, affecting more and more citizens.
Why are these leaks troubling?
This month’s leaks have together resulted in the release of data of millions of citizens. This data includes much more than Aadhaar numbers – it includes bank account details, addresses, phone numbers, and photographs.
These repeated leaks – five major leaks only in the last four days – are alarming and dangerous. Not only are they a breach of cybersecurity and privacy, they are also a violation of the Aadhaar Act, 2016. The Aadhaar Act tasks the UIDAI – the governing body which manages the Aadhaar database – with ensuring the security and confidentiality of Aadhaar information.
RS Prasad had said that 'law will be ignited' if there are data leaks. But there's a rider:
— Meghnad (@Memeghnad) April 25, 2017
- The biggest and most obvious concerns are data security and privacy. In the Indian context, there is a huge question over the accuracy of biometrics
- Information about individuals are priceless for various entities, and it is the high price over the information of individuals that raises the fear of possible breaches of confidentiality and mass surveillance. Most of the databases will be accessible to the government under the national security clause. That would mean, there is a potential breach of privacy which is a pre-condition for civil liberty.
- If one looks at the ease with which imposters can take out Aadhaar card printouts for impersonation purposes, it occurs to one that the most commonsensical solution to prevent this fraud is to ensure the secrecy of the Aadhaar data. This provision has, in fact, been strictly delineated in Section 29 of the Aadhar Act, 2016. But just a simple Google search will reveal search results containing hundreds of Aadhaar numbers and names within the span of a single click. The security risk is enormous.
— Anand V (@iam_anandv) April 24, 2017
India – where privacy takes a backseat
“Indians in general have yet to understand the meaning and essence of privacy.” – Tathagata Satpathy, MP from Dhenkanal, Odisha.
The right to privacy is an element of various legal traditions which may restrain both government and private party action that threatens the privacy of individuals. Over 150 national constitutions mention this right. (More details here.)
Furthermore, as Vrinda Bhandari and Renuka Sane noted:
- In 2011, India was ranked by Google as the third most intrusive State in terms of the number of requests for data on users with 1699 (1430) user data requests being made to Google alone.
- The Report on surveillance in India by the Software Freedom Law Centre (SFLC) found that on average, the central government alone taps more than 1 lakh phone calls a year, with around 7500-9000 phone interception orders being issued by it monthly. Combining this with requests from the State Government, the Report concluded that, Indian citizens are routinely and discreetly subjected to Government surveillance on a truly staggering scale.
- The Central Monitoring System (CMS) set up by the Government of India allows authorised security agencies to instantly intercept and directly monitor communications on mobile phones, landlines and the internet in the country (including on social media) to strengthen the security environment. The CMS will have deep search surveillance and monitoring capabilities with little requirement for authorisation. Its “direct electronic provisioning” allows automated instantaneous interception, that enables direct access by bypassing telecom service providers.
- NATGRID, conceived in the aftermath of the 26/11 attacks, seeks to create a centralised database streaming sensitive information from 21 data sources, including banks, travel details etc. Information infrastructure like Aadhaar may make it easier to utilise this information. In a fledgling democracy, the emergence of this new technology comes with the possibility of misuse.
More information on privacy and data security in India can be read here.
Aadhaar – where a billion citizens’ privacy is under threat
In an investigation of the privacy and security issues of Aadhaar, IIT Delhi concluded that privacy protection in Aadhaar will require
- an independent third party that can play the role of an online auditor,
- study of several modern tools and techniques from computer science, and
- strong legal and policy frameworks that can address the specifics of authentication and identification in a modern digital setting.
The paper stated: “In an Aadhaar-like setup, the biggest threat to privacy comes from potential insider leaks. The Aadhaar technology architecture does not seem to have been explicitly designed to have strong protections against such insider leaks. We believe that effective protection against insider leaks necessarily requires a third party auditor under independent administrative control.”
The Logical Indian take
With 1.123 billion enrolled members as of 28 February 2017 and over 99% of Indians aged 18 and above being enrolled, Aadhaar has been described as “the most sophisticated ID program in world”.
Its scope has been greatly expanded in recent months, with the government pushing for it to be mandated for availing welfare programs and official programs. Primarily because of this reason, the Aadhaar programme has seen the Supreme Court and the government being at odds with each other. The SC has repeatedly rejected any push to make Aadhaar mandatory for welfare schemes.
The rising significance of Aadhaar has been accompanied by rising concerns over privacy issues and the potential for abuse and data breaches. Looking at the facts, it is easy to surmise that incorrect implementation of the Aadhaar scheme can lead to security risks, identity theft, wrongful acquisition of Indian citizenship, and personal and financial fraud.
However, government entities continue to blindly implement practices which go against the spirit of the Aadhaar Act and act as mere appeasement tactics for universal acceptance of the Aadhaar. And while it is more than likely that UIDAI knows of these shortcomings, it has shorn off all responsibility. Instead of correcting the wrongful usage of the Aadhaar by various agencies, it has shielded itself from the implications of such wrongdoing by framing protective policies.
UIDAI needs to take data security seriously. Aadhaar is a goldmine of information; if it is in the wrong hands, the consequences will be catastrophic. In the Digital Age, most security is cybersecurity. The recent instances of private information being made public on government websites are shameful violations of privacy and the Aadhaar Act.
There should be strict action taken against those responsible for these breaches. And the government should ensure that such violations of privacy and the Aadhaar Act do not take place in the future.