There Have Been 5 Major Aadhaar Data Leaks In The Past 4 Days On Government Websites

Sudhanva Shetty

April 26th, 2017

Aadhaar Data Leaks

Courtesy: medianama | Image Credit: VKStudio

Tuesday, 25 April, was plagued with two major instances of private Aadhaar information being made public on government websites.

  1. Aadhaar numbers of beneficiaries of the Pradhan Mantri Awas Yojana were available on its website;
  2. The Department of Social Justice Justice and Empowerment of the Gujarat government had at least two documents with names, addresses, and Aadhaar numbers of hundreds, if not thousands, of students.

In both instances, Aadhaar numbers were mentioned along with names, addresses, mobile phone numbers, parents’ names, bank account details. Even photographs in some cases were made public and searchable.



The above two instances followed three similar cases of data mismanagement in only the last three days. The information of the following beneficiaries was displayed on the respective department websites:

  1. Public Distribution System (PDS) beneficiaries in Chandigarh,
  2. Provident Fund beneficiaries of Swachh Bharat Mission under the Water and Sanitation Ministry,
  3. Details of over a million pensioners by the Jharkhand government.


Aadhaar leaks: an accelerating concern

In the month of April, there have been at least 10 major Aadhaar data leaks – that is, 10 reported leaks.

MediaNama documented how these leaks are is a systemic problem. Furthermore, with Aadhaar being made mandatory for a variety of government programmes and subsidies, the data collection, storage, and leaks are likely to only increase, affecting more and more citizens.


April leaks, documented by MediaNama.Medianama

Why are these leaks troubling?

This month’s leaks have together resulted in the release of data of millions of citizens. This data includes much more than Aadhaar numbers – it includes bank account details, addresses, phone numbers, and photographs.

These repeated leaks – five major leaks only in the last four days – are alarming and dangerous. Not only are they a breach of cybersecurity and privacy, they are also a violation of the Aadhaar Act, 2016. The Aadhaar Act tasks the UIDAI – the governing body which manages the Aadhaar database – with ensuring the security and confidentiality of Aadhaar information.


The Aadhaar Act, 2016 tasks the UIDAI with ensuring the security and confidentiality of Aadhaar information.uidai


  1. The biggest and most obvious concerns are data security and privacy. In the Indian context, there is a huge question over the accuracy of biometrics
  2. Information about individuals are priceless for various entities, and it is the high price over the information of individuals that raises the fear of possible breaches of confidentiality and mass surveillance. Most of the databases will be accessible to the government under the national security clause. That would mean, there is a potential breach of privacy which is a pre-condition for civil liberty.
  3. If one looks at the ease with which imposters can take out Aadhaar card printouts for impersonation purposes, it occurs to one that the most commonsensical solution to prevent this fraud is to ensure the secrecy of the Aadhaar data. This provision has, in fact, been strictly delineated in Section 29 of the Aadhar Act, 2016. But just a simple Google search will reveal search results containing hundreds of Aadhaar numbers and names within the span of a single click. The security risk is enormous.


India – where privacy takes a backseat

“Indians in general have yet to understand the meaning and essence of privacy.” – Tathagata Satpathy, MP from Dhenkanal, Odisha.

The right to privacy is an element of various legal traditions which may restrain both government and private party action that threatens the privacy of individuals. Over 150 national constitutions mention this right. (More details here.)

In India, this right is mainly associated with Article 21 of the Constitution. Another component of the debate is the IT Act, 2000.

Furthermore, as Vrinda Bhandari and Renuka Sane noted:

  1. In 2011, India was ranked by Google as the third most intrusive State in terms of the number of requests for data on users with 1699 (1430) user data requests being made to Google alone.
  2. The Report on surveillance in India by the Software Freedom Law Centre (SFLC) found that on average, the central government alone taps more than 1 lakh phone calls a year, with around 7500-9000 phone interception orders being issued by it monthly. Combining this with requests from the State Government, the Report concluded that, Indian citizens are routinely and discreetly subjected to Government surveillance on a truly staggering scale.
  3. The Central Monitoring System (CMS) set up by the Government of India allows authorised security agencies to instantly intercept and directly monitor communications on mobile phones, landlines and the internet in the country (including on social media) to strengthen the security environment. The CMS will have deep search surveillance and monitoring capabilities with little requirement for authorisation. Its “direct electronic provisioning” allows automated instantaneous interception, that enables direct access by bypassing telecom service providers.
  4. NATGRID, conceived in the aftermath of the 26/11 attacks, seeks to create a centralised database streaming sensitive information from 21 data sources, including banks, travel details etc. Information infrastructure like Aadhaar may make it easier to utilise this information. In a fledgling democracy, the emergence of this new technology comes with the possibility of misuse.

More information on privacy and data security in India can be read here.


Aadhaar – where a billion citizens’ privacy is under threat

In an investigation of the privacy and security issues of Aadhaar, IIT Delhi concluded that privacy protection in Aadhaar will require

  1. an independent third party that can play the role of an online auditor,
  2. study of several modern tools and techniques from computer science, and
  3. strong legal and policy frameworks that can address the specifics of authentication and identification in a modern digital setting.

Exchange in Parliament on March 29.ptinews

 


The paper stated: “In an Aadhaar-like setup, the biggest threat to privacy comes from potential insider leaks. The Aadhaar technology architecture does not seem to have been explicitly designed to have strong protections against such insider leaks. We believe that effective protection against insider leaks necessarily requires a third party auditor under independent administrative control.”


Lack of specification of security standardsajayshahblog

The Logical Indian take

With 1.123 billion enrolled members as of 28 February 2017 and over 99% of Indians aged 18 and above being enrolled, Aadhaar has been described as “the most sophisticated ID program in world”.

Its scope has been greatly expanded in recent months, with the government pushing for it to be mandated for availing welfare programs and official programs. Primarily because of this reason, the Aadhaar programme has seen the Supreme Court and the government being at odds with each other. The SC has repeatedly rejected any push to make Aadhaar mandatory for welfare schemes.

The rising significance of Aadhaar has been accompanied by rising concerns over privacy issues and the potential for abuse and data breaches. Looking at the facts, it is easy to surmise that incorrect implementation of the Aadhaar scheme can lead to security risks, identity theft, wrongful acquisition of Indian citizenship, and personal and financial fraud.

However, government entities continue to blindly implement practices which go against the spirit of the Aadhaar Act and act as mere appeasement tactics for universal acceptance of the Aadhaar. And while it is more than likely that UIDAI knows of these shortcomings, it has shorn off all responsibility. Instead of correcting the wrongful usage of the Aadhaar by various agencies, it has shielded itself from the implications of such wrongdoing by framing protective policies.

UIDAI needs to take data security seriously. Aadhaar is a goldmine of information; if it is in the wrong hands, the consequences will be catastrophic. In the Digital Age, most security is cybersecurity. The recent instances of private information being made public on government websites are shameful violations of privacy and the Aadhaar Act.

There should be strict action taken against those responsible for these breaches. And the government should ensure that such violations of privacy and the Aadhaar Act do not take place in the future.


Read more:

  1. Aadhaar: Its History, Pros, Cons & Expansion Of Scope By The Govt.
  2. We All Have An Aadhaar Card; Know About Its Serious Loopholes

Share your thoughts..

Related Stories

Ten Men Arrested For Making Fake Aadhaar Cards By Hacking Biometric Security Settings Of UIDAI

Privacy Is A Fundamental Right Under The Indian Constitution: Supreme Court

From October, Dying Without Possession Of An Aadhaar Card Will Be A Major Problem

Aadhaar

210 State And Central Govt Websites Expose Aadhaar Card Holders’ Details: Centre To Lok Sabha

Jio

Reliance Jio Users’ Information Leaked Online, Jio In Denial

aadhaar, section 139AA

Those Without Aadhaar Need Not Link It To Their PAN To File IT Returns: Supreme Court

Latest on The Logical Indian

Opinion

When Religious Politics Fuels Murder: The Myth Of “Love Jihad”

Opinion

Realities Of Caste Politics & Music: Not-So-Distant Cousins

Legal

Bangalore Development Authority’s Revised Master plan 2031: Reduced Forest Cover And Encroached Lakes

Environment

The History Of How Delhi’s Air Pollution Got So Toxic

News

Supreme Court Orders A Speedy Trial For Nithyananda Rape And Cheating Case

News

Unemployment: More Than 10 Lakh People Including PHDs Applies For Jobs Of Patwari In Madhya Pradesh