The UIDAI has insulated itself from any blame or responsibility for leaks in the Aadhaar ecosystem

It does not matter how many times there are news reports of leaks of databases containing Aadhaar numbers along with other sensitive and private information, the UIDAI can continue to claim a 7-year long, flawless record of adequate data security.

The problem here is not with the UIDAI biometric database. That database is apparently behind seven firewalls and Norton, and uses proprietary technology. All this is independently audited regularly by security companies. In any case, the database is used only for verification and authentication, and therefore contains only the templates needed for performing the verification and authentication functions.

However, that is not the only database with details relating to Aadhaar. Databases that include names, names of parents, PAN numbers, mobile numbers, religion, marks, status of rejection of applications, bank account numbers, IFSC codes and other sensitive information have been leaked repeatedly, and are available via simple Google searches.

An operator arranges the Unique Identification (UID) documents submitted by people for their enrolment in the desert Indian state of Rajasthan. Image: Reuters/Mansi Thapliyal

An operator arranges the Unique Identification (UID) documents submitted by people for their enrolment in the desert Indian state of Rajasthan. Image: Reuters/Mansi Thapliyal

Unfortunately, these databases do not enjoy the exceptional security provided to the core biometric (template) database, and are not secured by the UIDAI. Instead, they are secured by the various governmental departments and agencies that collect them for all the reasons Aadhaar is used for. Third party institutions and organisations also collect the data and store them for their own purposes. These are the databases that are susceptible to breaches, or easily available for someone who knows Google-Fu.

The UIDAI and the Information Ministry offers canned responses to such breaches. If the breach originates from a third party, then harsh action is taken in accordance with the Aadhaar act. In a case where an overexcited worker at an Aadhaar data collection center leaked the personal details of cricketer MS Dhoni, the agency was banned for 10 years.

A banner on the UIDAI web site.

A banner on the UIDAI web site.

We are not aware of any such harsh actions taken against leaks originating from official sources, including from the domains operated by the government. If readers are aware of any such instances, do let us know in the comments section below. Even if the UIDAI takes steps to make sure a few government officials will be put behind bars, but the leaked data cannot be made confidential again.

Instead, what is known to happen in previous such breaches is that a circular is sent to the government agencies notifying them that publicly posting private information, including Aadhaar numbers is not allowed. A banner is put up on the UIDAI website. If the breach originates from a government source, the data sources are silently pulled.

An agency tasked with storing data can claim that any database with personal information is adequately protected according to Indian laws. The lack of dedicated data security and privacy laws in the country makes it difficult to dispute such claims. In fact, at an Aadhaar hearing in July 2015, the attorney for the Government went ahead and made it clear that Indians do not have a right to privacy at all. "Right to Privacy is not a fundamental right under our Constitution. It flows from one right to another right. Constitution makers did not intend to make Right to Privacy a fundamental right. There is no fundamental right to privacy so these petitions under Article 32 should be dismissed," Attorney General Mukul Rohatgi submitted during a 2015 hearing on Aadhaar data collection violating the privacy of individuals.

Ghewar Ram (R), 55, and his wife Champa Devi, 54, display their Unique Identification (UID) cards. Image: Reuters/Mansi Thapliyal

Ghewar Ram (R), 55, and his wife Champa Devi, 54, display their Unique Identification (UID) cards. Image: Reuters/Mansi Thapliyal

UIDAI itself claims that the Aadhaar Act has integrated the data protection and privacy laws within itself, and so provides adequate legal protection to the individuals. If something goes wrong, the citizens cannot file their own complains, the UIDAI has reserved the right to launch criminal proceedings for Aadhaar related issues, and only the UIDAI can file an FIR. The UIDAI has insulated itself very smartly because of all these reasons. Data leaks? UIDAI has a flawless record, and the data is secured with “harsh laws”. Worried about the most mandatory voluntary scheme in existence? That is the law of the land. Inconveniencing senior citizens and the caregivers of the disabled with harsh deadlines for Aadhaar linking? That is the fault of the external agencies linking to Aadhaar, and not a decision taken by the UIDAI. Now, we can expect another round of reassurances. It could be statements from The UIDAI, UIDAI chief  Ajay Bhushan Panday, IT Minister Ravi Shankar Prasad or The Minister of State for Electronics and IT, the end result would be more reassurances to the public and before the houses of parliament that the Aadhaar data is adequately secured, that there are enough regulations in place, and that the program is coming along nicely as an example of something the world has never attempted before. The arguments by the UIDAI and the government so far, have not convinced critics. Pavan Duggal, a lawyer and leading expert on cyber laws in India says “The fears pertaining to misuse of Adhaar data are real because the concerns have not been adequately addressed. You can’t take an ostrich approach to Aadhaar and hope the problems will go away. They’re very real, and they affect everyone.”

Anita Gurumurthy, from the IT for Change NGO, an organisation that works at the intersections of digital technologies and development writes, “In the absence of a data protection law and privacy rules, there is no accountability structure for the use and abuse of citizen data. This is why the seeding of Aadhaar to databases can bestow unchecked power upon the already powerful – bureaucrats, politicians, corporate actors, and other vested interests – who can exploit people by accessing information about them.”

New laws for data retention have been proposed. The WhatsApp case on data sharing with Facebook has pushed the government towards putting a data protection regime in place, which may have an effect on Aadhaar and the Aadhaar ecosystem. It may improve the safeguards on user data, or it may not.

In any case, there is am urgent need for pro-active privacy and data protection laws in the country.

Published Date: May 02, 2017 12:53 pm | Updated Date: May 02, 2017 12:53 pm