7.8 Crore Citizens’ Aadhaar Data Stolen And Misused, Threat To National Security Too
It Grids (India) Pvt Ltd, a Hyderabad based IT company has been booked for illegally holding possession of 7.8 crore records of Aadhaar data and misusing the same. IT Grids is the same company which built the “Seva Mitra” app, the official Telugu Desam Party app. The FIR against IT Grids has been filed by Sri T Bhavani Prasad, Deputy director, Aadhaar. The FIR has levelled various charges against IT Grids. Aadhaar officials can no longer refuse to acknowledge the fallible nature of Aadhaar’s security.
A significant part of India’s population has enrolled in Aadhaar. Central Identities Data Repository (CIDR) and State Resident Data Hub (SRDH) store acutely sensitive information of citizens including their biometrics. Any individual or a body having illegal access to this database can jeopardise the citizens’ and national security. On 2nd March 2019, Thummala Lokeswara Reddy, a data analyst, lodged a complaint against IT Grids for alleged fraudulent usage of identity information like Aadhaar number, voter identity details including colour photographs of individuals, beneficiary details of various Government schemes, and data acquired by various surveys conducted by the Government of Andhra Pradesh through TDP’s Seva Mitra application. Later on, UIDAI led by T Bhavani Prasad also filed an FIR. A special investigation team has been appointed to investigate this matter. The investigation has given rise to suspicions of Seva Mitra application using illegally acquired voter information along with Aadhaar details of the State governments of Telangana and Andhra Pradesh for voter profiling, targeted campaigning (If a government can put together the Aadhaar data it has access to, and the data of beneficiary details of government’s schemes, it can identify which section of the population is happy with the scheme and which section is not, thereby giving it an upper hand in planning its election manifesto and this is what is referred to as ‘targeted campaigning’) and even deletion of voters.
The investigation report also suspects that TDP through Seva Mitra application might have been deleting certain unfavourable voter’s names from the voters’ list. The FIR states, “During the course of the investigation, a search was conducted in the premises of IT GRIDS (India) Pvt Ltd., on 2nd and 3rd March, 7 Hard Disks and other digital evidence were seized from the scene of crime. The seized evidence was sent to Telangana State Forensic Laboratory (TSFSL) for forensic examination.” The FIR further states, “..upon further examination of the digital evidence it was discovered that a whopping 78221397 records of Aadhaar data belonging to the states of Telangana and Andhra Pradesh were found and used by IT GRIDS (India) Pvt Ltd., for the purpose of Seva Mitra application belonging to Telugu Desam Party.” The found data included 1) UID number, 2) EID number, 3) Citizen name, 4) Father/Husband/Guardian name 5) DOB, 6) Village name, 7) Mandal name, 8) District name, 9) Pin code, 10) Pin code, 11) VTC code, 12) VTC name, 13) Phone number, 14) Gender, 15) State code, 16) State name, 17) Citizen name – local, 18) Care of name – local.
FIR 278/2019 by Cyberabad Police in Madhapur on the request of @UIDAI against IT Grids Pvt Ltd. First time in a #Aadhaar case there is a forensic investigation which was missing in all other UIDAI security claims. pic.twitter.com/8gDI3LmpRt
— Srinivas Kodali (@digitaldutta) April 15, 2019
What are the charges against IT GRID?
The IT GRID (India) Pvt Ltd., has been booked under Section 38(g), 38(h) and Section 40 and Section 42 of Aadhaar Act, 2016 for possessing this sensitive database in a removable storage device. IT GRID being a private entity cannot possess identity information as sensitive as Aadhaar, and thereby it contravenes Section 72(A), Section 65 and Section 66(8) of IT Act, 2008. The Aadhaar regulations, 2016 also lays down rigid rules against sharing, circulating or publishing of Aadhaar numbers. The IT GRID has found to have hosted the Aadhaar database in a foreign hosting platform, which contravenes Section 44 of Aadhaar Act.
Has our sensitive data reached unsafe hands offshore?
The special investigation team discovered that IT GRID had been hosting the Aadhaar number and related identity information of citizens in Amazon Web Services, a US-based company, thereby giving Amazon access to our nation’s confidential data. This poses a dangerous threat to national security and the security of individuals whose data has been leaked. This data if reaches terror organisations, the consequences are unimaginable.
UIDAI has finally opened its eyes
After a decade of shying away from acknowledging the possibilities of data theft from CIDR and SRDH, UIDAI finally relents (though forcefully) and took stock of the loopholes in the security system of Aadhaar. UIDAI’s Chief Executive had told Supreme Court that there exists “sufficient safeguard mechanism” and “almost foolproof public key infrastructure (PKI)-2048 encryption…virtually impossible to decipher”. This incident certainly muzzles his false claims and raises a loud alarm.
If someone could steal data from the database, it means that it's not secure. How is that "jumping to conclusions"?
Data once lost is lost forever. It's going to be shared, used,& can be sold easily to enemy countries for microtargeting.
Aadhaar is national security nightmare https://t.co/r4H89NwcAn
— Nikhil Pahwa (@nixxin) April 15, 2019
A thread on all the #Aadhaar data leaks from Andhra Pradesh. The first leak I reported about AP was part of my report on why leaks are happening. The AP government published details of 2 crore residents Aadhaar, bank account numbers, phone numbers as MS Access databases online pic.twitter.com/k7Nad3WZo1
— Srinivas Kodali (@digitaldutta) August 7, 2018
The fundamental glitch of Aadhaar
Kshithij Urs, adjunct professor of Public Policy, National Law School of India University while talking to The Logical Indian said that the very idea of digitising public info and citizens’ identity information is indignating and problematic. Social profiling is a threat to democracy, and he believes Aadhaar to be a social engineering tool of the power-holders. He also says that Aadhaar is a massive step towards normalising hegemony in our society. He reminds us how Cambridge Analytica has proved it to the world that data can be used to manipulate minds.
Surveillance breeds mistrust between the citizens and the government and thereby demolishes the foundations of democracy. Scores of activists have been trying to bring to light the evil side of Aadhaar ever since Aadhaar was implemented.
Remember, kids: Aadhaar is synonymous with data misuse and privacy violations. It doesn't work otherwise. There is no pure Aadhaar vision in which it is useful without such misuse. https://t.co/QBfIEFv5NE
— Kiran Jonnalagadda (@jackerhack) April 16, 2019
— Srinivas Kodali (@digitaldutta) April 16, 2019
UIDAI lives in denial
This particular event undoubtedly has shaken the beliefs and claims of UIDAI. In an official statement, UIDAI denies any data being stolen from its servers and CIDR. It continues to claim that its CIDR and its servers are “completely safe and fully secure”. “UIDAI has filed a complaint on the basis of a report from Special Investigation Team (SIT) of Telangana Police that IT GRIDS (India) Pvt. Ltd has allegedly obtained and stored Aadhaar numbers of a large number of people in violation of the provisions of the Aadhaar Act.
“Nowhere in the report, the SIT has found any evidence to show that the Aadhaar number, name, address, etc., of the people, have been obtained by stealing them from UIDAI servers,” the statement said. The statement also reads, “The alleged incident has nothing to do with UIDAI’s data and servers.”
But the SIT initial investigation states, “…it is also pertinent to bring to your notice that the structure and size of the database is surprisingly similar to that of databases that could have been originally owned by Unique Identification Authority of India”
If SIT concludes that the database found with IT GRIDS has been stolen from CIDR and Aadhaar servers, the arguments and concerns of privacy-activists will be reinforced and their fears will be proved true. Will this lead to the end of Aadhaar? Only time can tell us.