You are here: Home » Economy & Policy » News
Business Standard

Aadhaar's security flaws can have devastating consequences for Indians

Does UIDAI think citizens' privacy is a 'small price' to pay for how the govt can monetise Aadhaar in future?

Srinivas Kodali | The Wire 

Aadhaar debate: Right to privacy not absolute, says Supreme Court
A villager goes through the process of eye scanning for Unique Identification (UID) database system at an enrolment centre at Merta district in Rajasthan. Photo: Reuters

It is no surprise that the latest data and security breach surrounding the programme has been selectively denied by the Unique Identification Authority of (UIDAI), the government of and the

All three have slammed reports, calling it mis-reporting even though the process of filing a first information report (FIR) is underway and the portal where the alleged breach took place ( has been shut down since the started making waves.

Increasingly worn out defences were also mounted and trotted out – the stated that is completely safe and cannot be accessed by any rogue individual. It stoically, and misleadingly, maintained that the Central Identities Database Repository (CIDR) was safe even though nobody (including The Tribune) claimed that biometrics were accessed or the CIDR was compromised.

The also curiously engaged in a dangerous campaign of misinformation by claiming that the demographic associated with numbers (name, gender, age phone numbers, addresses) is not sensitive information. Its implication is that it is wholly acceptable for this to be in the public domain even though the Aadhaar Act of 2016 specifically states otherwise.

However, even on its claims of and the enrolment process being secure, the falls short. It has filed two FIRs over attempts that were made to breach the authentication process in Uttar Pradesh. The UP Police Special Investigation Task Force has arrested a gang believed to have built their own registration clients, bypassing both and iris protections designed for the enrolment procedure.

Leaving this aside though, it has become clear that this is how the acts when presented with evidence that its wider ecosystem is filled with holes and is leaking profusely. Every time a incident is reported, the agency puts out blanket denials even before investigating what has transpired. In the latest breach, the filing of an FIR clearly indicates something has gone wrong and thus needs to be further investigated.

Since the formalisation of the UID programme through the 2016 Act, breaches in the wider ecosystem have piled up. Nearly a year after the Act was pushed through the Lok Sabha, the minister of state for information technology replied to a question in parliament, admitting that over 200 government websites had been publishing numbers and the list of these websites have been made available in a subsequent parliamentary question.

Clearly multiple breaches and lapses have been reported to the as acknowledged in parliamentary questions.

What is frustrating about the UIDAI’s perpetually defensive position is that many researchers and concerned persons have been trying to report issues with for a long time. Consider the specific issue reported by The Tribune – a search facility that allowed authorised personnel to enter the number of a person and pull up their personal was deliberately misused.

Twitter user databaazi has consistently flagged concerns of how the UID ecosystem gives third parties access to details though internal tools in this case DSDV (Direct Benefit Transfer Seeding Viewer). DSDV, as mentioned in one of the documents, gives access to demographic from CIDR to government agencies and banks. Sound familiar?

A clipping of how the DSDV search facility works. Credit: UIDAI

A clipping of how the DSDV search facility works. Credit: UIDAI

Even after the raising of concerns and the reporting of breaches, the has no set procedure for researchers to report these issues through secure channels.

The government body has also selectively ignored issues of how third parties are accessing and storing demographic even though plenty attention is diverted to how the programme can help promote India’s digital economy. In the grander scheme of things – where future Indian governments will monetise and extract maximum value from the personal of its citizens – violations, identity theft and financial fraud are apparently a small price to pay.

Indeed, the most important story of over the last few years is that while its core (the Central Identities Database Repository) may be strong, its branches, roots and wider ecosystem are dangerously exposed and with open access to any private company by default.

This shows in the way the Centre frames its denials, in the way it selectively replies to questions related to in parliament.

For instance, when asked about leakage of by private vendors – a problem that is currently threatening to snowball out of control – the minister of state for information and technology merely replied in parliament that in the CIDR had not been breached.

To another question on action taken against government employees for leaking to unauthorised persons, the minister again meekly replies that “no such incidents have been reported to the UIDAI” – he is clearly not willing to answer whether any employees or bureaucrats were penalised for publishing the personal of millions of Indian citizens on 210 government websites.

If you look at others questions in the parliament where the mandatory nature of is being questioned, the government is also selectively answering them. To one question, the minister for social justice and empowerment baldly states that is not mandatory for beneficiaries. His answer clearly doesn’t reflect on ground realities and reflects the government’s blinkered approach to accepting and understanding the flaws with the identification scheme.

By embodying the “see-no-evil, hear-no-evil, speak-no-evil” approach of the three wise monkeys, the authorities are doing more harm than good. The and the government needs to change its stance and start listening to people who are pointing out critical flaws instead of issuing blanket denials and template answers.

Unless they do, it is only a matter of time before the ecosystem’s flaws bring down the whole house, with devastating consequences for India’s citizens.

Srinivas Kodali is an interdisciplinary researcher working on issues of cities, and internet. He volunteers with internet movements and communities.

Published in arrangement with The Wire.

First Published: Sat, January 06 2018. 12:34 IST