Centre for Internet & Society

Just how leaky is the Aadhaar data? A lot, says a study published by Centre for Internet and Society, a Bengaluru-based organisation (CIS). In a study published on May 1, two researchers from CIS found that data of over 130 million Aadhaar card holders has been leaked from just four government websites. As scary as this is, there is more to it. Not only the Aadhaar numbers, names and other personal details of millions of people have been leaked but also their bank account numbers.

The article was published in India Today on May 4, 2017.

The CIS report noted that the leak is from four portals that deal with National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme and Daily Online Payment Reports of NREGA.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at," notes the report released on May 1.

It also says that the extent of the leaks could be even bigger than what the CIS research found. "While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used Aadhaar for DBT could have leaked PII similarly due to lack of information security practices. Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT,10 and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," noted the report prepared by Amber Sinha and Srinivas Kodali.

The report highlights that one of the major issues with the Aadhaar project is how the data has been collected is handled by various government agencies. "While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data," notes the report. "...it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief."

This is not the first time, there have been leaks into the Aadhaar system, although this is probably the first time someone has documented the whole bit so meticulously. There have been reports of data leaks in the past. In fact, as more and more government schemes and ID cards gets linked with Aadhaar data the instances of leaks have increased significantly.

One of the big problem with the Aadhaar data is that of accountability. In absence of a good privacy law and provisions that prescribe punishment in case of private data leak, private and public agencies in India are often careless about handling of data. The private details of people have not only leaked from government websites but also from private bodies like banks, telecom operators, insurance providers and financial organisations. Recently, a major data leak came to light involving a website that was selling private information of probably hundreds of thousands of people who have take car loan in the last several years.

This is a point that is also highlighted by CIS report. "Information and data leaks have been occurring in India for a long time and the leaks around Aadhaar are not the first data leaks. But with the scale and design of Aadhaar, any information being leaked is dangerous and its impact not entirely reversible," it says.

Yet, despite all the data leaks and the fact that they undermine the faith in Digital India, the government -- first UPA and now NDA -- has not created and introduced a proper privacy and data protection law in India.