NSA whistle-blower-at-large Edward Snowden seems to be following Aadhaar developments quite keenly. It is evident from his Twitter handle that Snowden has his own take on Aadhaar. Earlier this month, he had come out in support of the journalist who had uncovered the Aadhaar WhatsApp scam.
More recently, Snowden has tweeted an article authored by former India head of our external intelligence unit, the Research and Analysis Wing (RAW), saying that it is one of those rare instances where he is in agreement with a former intelligence chief.
In response to a Unique Identification Authority of India's (UIDAI) tweet busting Aadhaar myths where it calls Aadhaar an identifier and not a profiling tool, Snowden said that while that could be true there are other issues. "But any Indian can tell you they're asked for their number by non-government entities — and those companies have databases too," said Snowden.
That might be true if banks, landlords, hospitals, schools, telephone & internet companies were prohibited by law from asking for your #Aadhaar number. But any Indian can tell you they're asked for their number by non-government entities––and those companies have databases too. https://t.co/WsKC9wR6sj
— Edward Snowden (@Snowden) January 21, 2018
Since then Snowden has been tweeting responses he has got with regards to Aadhaar.
While it's true that Aadhaar database in itself does not store any additional information of the entities that use it for verification, it would be naive to think that these third-party non-government agencies do not store your Aadhaar number, which can then be mapped to the data they have. So for instance, say you are applying for a mobile connection, and you are supposed to fill out a form wherein you fill in your personal details such as name, address, date of birth, email address, etc. Now, this data is already there with the telco. On top of that, it is requesting you to give your Aadhaar number for the verification process, which is verified via the Aadhaar authentication API. Who's to say that these companies are not storing your Aadhaar number. Expand this to other institutions which ask for your database, and you have your Aadhaar number linked to multiple sets of data. The weak link lies in these databases getting compromised.
We have observed in the past how databases of institutions were available on the public internet with a simple Google search and were searchable by an Aadhaar number. There was even an Aadhaar data leak from the Jharkhand Directorate of Social Security (JDSS). These are just two examples.
The fault here isn't with the UIDAI as such, but with the poor practices employed by third-party agencies or institutes who mandate the verification by Aadhaar number.
According to the Aadhaar Bridge website, "Aadhaar authentication API is the procedure wherein the Aadhaar number of the user along with other attributes including the biometrics, are submitted online to the CIDR for verification on the basis of data and documents available with it. Aadhaar UIDAI authentication API offers several ways in which a user can authenticate themselves using the system. This Aadhaar authentication service uses demographics data or biometric data or OTP. During the authentication transaction of Aadhaar API, the user’s record is first selected using the Aadhar number and then the biometric or demographic inputs are matched against the stored data within CIDR which was given by the user during enrolment or update process."
The Aadhaar act (PDF) says,"No Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specified by regulations."