Sudhanva Shetty Shetty
Writer, coffee-addict, likes folk music & long walks in the rain. Firmly believes that there's nothing more important in a democracy than a well-informed electorate.
Tuesday, 25 April, was plagued with two major instances of private Aadhaar information being made public on government websites.
In both instances, Aadhaar numbers were mentioned along with names, addresses, mobile phone numbers, parents’ names, bank account details. Even photographs in some cases were made public and searchable.
— surinderxx (@surinderxx) April 23, 2017
The above two instances followed three similar cases of data mismanagement in only the last three days. The information of the following beneficiaries was displayed on the respective department websites:
— Road Scholarz (@roadscholarz) April 24, 2017
In the month of April, there have been at least 10 major Aadhaar data leaks – that is, 10 reported leaks.
MediaNama documented how these leaks are is a systemic problem. Furthermore, with Aadhaar being made mandatory for a variety of government programmes and subsidies, the data collection, storage, and leaks are likely to only increase, affecting more and more citizens.
This month’s leaks have together resulted in the release of data of millions of citizens. This data includes much more than Aadhaar numbers – it includes bank account details, addresses, phone numbers, and photographs.
These repeated leaks – five major leaks only in the last four days – are alarming and dangerous. Not only are they a breach of cybersecurity and privacy, they are also a violation of the Aadhaar Act, 2016. The Aadhaar Act tasks the UIDAI – the governing body which manages the Aadhaar database – with ensuring the security and confidentiality of Aadhaar information.
RS Prasad had said that 'law will be ignited' if there are data leaks. But there's a rider:
— Meghnad (@Memeghnad) April 25, 2017
— Anand V (@iam_anandv) April 24, 2017
“Indians in general have yet to understand the meaning and essence of privacy.” – Tathagata Satpathy, MP from Dhenkanal, Odisha.
The right to privacy is an element of various legal traditions which may restrain both government and private party action that threatens the privacy of individuals. Over 150 national constitutions mention this right. (More details here.)
Furthermore, as Vrinda Bhandari and Renuka Sane noted:
- In 2011, India was ranked by Google as the third most intrusive State in terms of the number of requests for data on users with 1699 (1430) user data requests being made to Google alone.
- The Report on surveillance in India by the Software Freedom Law Centre (SFLC) found that on average, the central government alone taps more than 1 lakh phone calls a year, with around 7500-9000 phone interception orders being issued by it monthly. Combining this with requests from the State Government, the Report concluded that, Indian citizens are routinely and discreetly subjected to Government surveillance on a truly staggering scale.
- The Central Monitoring System (CMS) set up by the Government of India allows authorised security agencies to instantly intercept and directly monitor communications on mobile phones, landlines and the internet in the country (including on social media) to strengthen the security environment. The CMS will have deep search surveillance and monitoring capabilities with little requirement for authorisation. Its “direct electronic provisioning” allows automated instantaneous interception, that enables direct access by bypassing telecom service providers.
- NATGRID, conceived in the aftermath of the 26/11 attacks, seeks to create a centralised database streaming sensitive information from 21 data sources, including banks, travel details etc. Information infrastructure like Aadhaar may make it easier to utilise this information. In a fledgling democracy, the emergence of this new technology comes with the possibility of misuse.
More information on privacy and data security in India can be read here.
In an investigation of the privacy and security issues of Aadhaar, IIT Delhi concluded that privacy protection in Aadhaar will require
The paper stated: “In an Aadhaar-like setup, the biggest threat to privacy comes from potential insider leaks. The Aadhaar technology architecture does not seem to have been explicitly designed to have strong protections against such insider leaks. We believe that effective protection against insider leaks necessarily requires a third party auditor under independent administrative control.”
With 1.123 billion enrolled members as of 28 February 2017 and over 99% of Indians aged 18 and above being enrolled, Aadhaar has been described as “the most sophisticated ID program in world”.
Its scope has been greatly expanded in recent months, with the government pushing for it to be mandated for availing welfare programs and official programs. Primarily because of this reason, the Aadhaar programme has seen the Supreme Court and the government being at odds with each other. The SC has repeatedly rejected any push to make Aadhaar mandatory for welfare schemes.
The rising significance of Aadhaar has been accompanied by rising concerns over privacy issues and the potential for abuse and data breaches. Looking at the facts, it is easy to surmise that incorrect implementation of the Aadhaar scheme can lead to security risks, identity theft, wrongful acquisition of Indian citizenship, and personal and financial fraud.
However, government entities continue to blindly implement practices which go against the spirit of the Aadhaar Act and act as mere appeasement tactics for universal acceptance of the Aadhaar. And while it is more than likely that UIDAI knows of these shortcomings, it has shorn off all responsibility. Instead of correcting the wrongful usage of the Aadhaar by various agencies, it has shielded itself from the implications of such wrongdoing by framing protective policies.
UIDAI needs to take data security seriously. Aadhaar is a goldmine of information; if it is in the wrong hands, the consequences will be catastrophic. In the Digital Age, most security is cybersecurity. The recent instances of private information being made public on government websites are shameful violations of privacy and the Aadhaar Act.
There should be strict action taken against those responsible for these breaches. And the government should ensure that such violations of privacy and the Aadhaar Act do not take place in the future.
Thank you for subscribing.
We have sent you a confirmation email.