UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals

The blog post by Shruti Menon was published by Newslaundry on May 2, 2017

The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the amendment in income tax law allowing this after senior lawyer Shyam Divan made a strong case against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has refused to entertain arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.

Advocate Gautam Bhatia posted minute-by-minute developments from the courtroom, and soon, #ThankYouMrDivan became one of the top trends on Twitter.

A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a report titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told Newslaundry.

The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.

“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.

The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.

Speaking to Newslaundry, Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.

What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told Newslaundry. “At some point of time, everybody is going to have everybody’s information,” he added.

Currently, the government has an open data portal. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.

So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.

Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.

What does it mean to have access to someone else’s Aadhaar?

With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."

Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.

UIDAI on silent mode

Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.

One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said. He added that he served several notices of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.

On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.

Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told Newslaundry that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.

Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told Newslaundry that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.

UIDAI has also not responded to several queries filed by vulnerability testers.

Newslaundry reached out to the UIDAI with the following questions:

 

1. According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?

 

2. If a person's privacy has been breached, what are the steps UIDAI would take for redressal?

 

3. Is UIDAI investigating the 13 crore Aadhaar leaks?

 

4. The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?

 

5. How do you ensure data security on open data portals?

This piece will be updated if and when they respond.

While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.

Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."

Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.

However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?

The author can be contacted on Twitter @shrutimenon10.