Aadhaar data breach: UIDAI must address privacy concerns urgently; simply denying leak not enough

A report in  The Tribune on Thursday revealed that access to any Aadhaar holder’s details could be gained, through a mere payment of Rs 500, via an anonymous service on Whatsapp. As per the report, the payment allowed the person to be designated as an ‘agent’, which in turn granted him access to the grievance redressal system. Entering an Aadhaar number into the system revealed the holder’s information, including name, date of birth, address, PIN, photo, phone number, e-mail. About one billion Aadhaar holders’ details can be accessed this way. The report alleged that a further payment of Rs 300 allowed printing of an Aadhaar card, using just the holder’s number. [caption id=“attachment_4281857” align=“alignleft” width=“380”] Representational image. CNN-News18[/caption] The Unique Identification Authority of India’s (UIDAI) response to this report has been to deny the media report, stating that there was no data breach and that the biometric data was secure. Moreover, the response goes on to state that a ‘mere display’ of demographic details cannot be misused. This response to an obvious data breach and violation of privacy is extremely worrying. It is yet another reiteration of the privacy concerns with Aadhaar, and the constant denial of privacy concerns by the UIDAI instead of sitting up and addressing the problem at hand. Gaining unauthorised access is a data ‘breach’ A data ‘breach’ is not defined under the Indian Information Technology Act, 2000 or the Aadhaar Act, 2016. However, a data ‘breach’ is not limited to a technical breach like hacking the security systems of the Central Identities Data Repository (CIDR), as is commonly understood. Gaining unauthorised access to a database – in this case, possibly the CIDR – is very much a data breach and a violation of privacy. It is the seriousness of this act of gaining unauthorised access to the Aadhaar database, which makes it punishable not only under Section 43 of the IT Act but also under Section 38 of the Aadhaar Act itself. It is a relief that the breach did not involve a large amount of data being downloaded and stolen, as was seen in the Equifax data breach , where their grievance redressal system was hacked. Nevertheless, each individual whose number has been entered into the system and details extracted in this case has had his privacy violated. The potential of this breach is much greater, with almost any Aadhaar holder’s information being accessible this way. Privacy concerns extend beyond biometric data Biometric data, unlike the UIDAI’s statement, is not the only privacy concern with this breach. The disclosure of demographic data, such as an individual’s name, date of birth, address, PIN, photo, phone number, e-mail, etc, is not any less of a privacy concern. This data forms the basis of many cybercrimes, be it phishing or identity theft. Additionally, obtaining biometric data is getting simpler, such as the extraction of fingerprints from photographs or the spoofing of iris scans. Obtaining biometric data will be a huge target for cybercriminals, because of the potential of combining it with the troves of other information already illegally available. It is extremely dangerous, therefore, to underestimate the value of the data disclosed in this breach, simply because it did not include biometric data.

There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometrics @thetribunechd @timesofindia @rsprasad @ceo_uidai @htTweets @ZeeNews @IndiaToday

— Aadhaar (@UIDAI) January 4, 2018

Too many players in the Aadhaar system The breach also revealed another major privacy concern – that of the huge number of players involved in the Aadhaar system. The  outsourcing of enrolment centres by the UIDAI, which was put on hold in June 2017 following reports of illegalities, is one such example. The pushing of Aadhaar on a large, nationwide scale definitely led to a lapse in privacy and security considerations. This case reveals the lack of impressing upon third parties and private parties of the importance of maintaining the confidentiality of the data and of the consequences of not doing so. Previous data disclosures by government websites of their databases revealed that the situation was no better there. The reveal of cricketer MS Dhoni's form by an enrolment centre is yet another example of this. Moreover, there is a huge lack of penalties and other deterrent consequences. Section 38 of the Aadhaar Act, for instance, will only punish the culprits in this case with imprisonment of three years and a minimum fine of Rs 10 lakhs. This action, however, can only be taken by the UIDAI, and the people affected cannot take these parties or the UIDAI to task for any negligence on their part. Why are privacy issues with Aadhaar not addressed? A common argument made in support of the Aadhaar system is that when any new system is launched, there will be drawbacks, which need to be fixed. Without going into the extent of issues, in particular with the privacy, that have arisen with the Aadhaar system, what is extremely worrying is the absolute lack of an attempt to address the issues which are pointed out. Consider the case of the filing of an FIR against a CNN journalist who showed the possibility of obtaining two separate Aadhaar numbers or the fears of action against the Centre for internet and society for their investigation on Aadhaar disclosures by government website databases. The only action taken against the government website disclosures was the issue of a Meity notification and general guidelines for securing identity information and sensitive personal data or information in compliance to Aadhaar Act, 2016 and Information Technology Act, 2000 issued in May, 2017; guidelines which are good in themselves, but lack any clear consequences for non-compliance . Asserting the technical security of the CIDR and biometric data is not enough With previous laws, such as the Draft Encryption Policy, which was withdrawn when people raised concerns with it, or the DNA Profiling Bill, where privacy concerns raised with the first draft led to substantial changes in support of privacy in the second draft. Even with the framing of the Data Protection laws, an open consultation process has been adopted. There is, here, evidence of a dialogue between the people and the framers of the law, evidence of people’s concerns being addressed.

With the Aadhaar system, a system which is gaining an increasing amount of access to increasingly sensitive data, no such dialogue can be seen. Asserting the technical security of the CIDR and the safety of the biometric data alone as a response to privacy allegations is not enough.

More from India

CP Radhakrishnan takes oath as Vice President of India Wife and son watching, Indian-origin man beheaded at US motel; suspect illegal migrant, arrested

Privacy extends beyond that, and the UIDAI needs to address such incidents very differently. People need to believe that their data is secure and that their privacy is a priority. It is good to know that an FIR has been filed with respect to this incident, but the denial by the UIDAI of the importance of this breach is a major concern. At this stage, it is hoped that the case before the Supreme Court on the privacy concerns with the Aadhaar system will provide a solution for this. The author is a lawyer specialising in technology laws. She is also a certified information privacy professional.