The Unique Identification Authority of India (UIDAI), which runs the world’s largest biometric identity card scheme, has initiated a police probe into a major security breach.
The probe was ordered on Thursday after the local Tribune newspaper accessed a database containing the identity details of more than one billion citizens, which was being sold for a meagre $8, the report claimed. An anonymous seller over WhatsApp created a “gateway” for one of the newspaper’s correspondents to gain access to the database, after which any identification number, referred to as Aadhaar, could be entered and the person’s name, address, photo, phone number and email displayed.
On Thursday, the UIDAI said the breach appeared to have been caused by the “misuse” of a grievance-redressal search facility that can be accessed by the public.
“The Aadhaar data, including biometric information, is fully safe,” the authority said in a statement.
But Kiran Jonnalagadda, cofounder of the Internet Freedom Foundation, said the incident revealed a serious problem with data security. The breach involved the use of a backdoor created by the UIDAI for the use of authorised parties, a definition encompassing thousands of government officials, he said.
“These officials were allowed to appoint other officials with the right to access data. It’s no wonder someone down the chain went rogue and started selling access,” Jonnalagadda told Al Jazeera.
Growing privacy risks
Activists have warned of increasing security and privacy risks associated with the ambitious Aadhaar project and its linking with government and private services, including banking and telephone accounts.
Security protocols were clearly violated, said Pranesh Prakash, policy director at Centre for Internet and Society.
“This incident shows that those who have legitimate access to the Aadhaar database have been involved in providing illegitimate access to it by creating accounts for others, like the journalist for instance. The entire Aadhaar ecosystem is leaking like a sieve,” Prakash told Al Jazeera.
The ruling Bharatiya Janata Party (BJP), meanwhile, dismissed the Tribune report as “fake news”.
— BJP (@BJP4India) January 4, 2018
Last month, India’s junior information technology minister told parliamentarians that 210 government websites had mistakenly published several citizens’ personal data.
The UIDAI says that more than 1.13 billion people are enrolled on the database. India’s finance minister says there have been 20 reported cases of Aadhaar-related bank fraud since 2015.
“Banking fraud, where people’s money is being stolen through linkage with e-payment firms, is happening because people’s personal data is available in the public,” Prakash said.
“The security infrastructure relies on these linkages being private information. Data leaks for the past year have shown that demographic authentication is much harder to do if everyone actually knows everyone else’s Aadhaar and phone number.”
The breach investigation has intensified debate over security concerns related to the ambitious national identity card project. Prime Minister Narendra Modi’s government has asked citizens to link their ID card to banking, phone accounts and government services, saying the project will lead to a “social revolution”.
The validity of the government’s orders will be debated in the top court starting on January 17.
Lack of safeguards
The Aadhaar IDs record personal biometric data, including fingerprints and eye scans, which the government says allows it to ensure that welfare services are being delivered to those who really need them.
But critics say the cards can link a large amount of data, enough to create a full profile of a person’s spending habits, phone records, rail bookings, property ownership and a trove of other information – all without clear safeguards for access or use by government or private companies.
Steps could be taken to minimise privacy risks, Prakash said.
“It’s being used everywhere senselessly. The usage of Aadhaar must be regulated. Right now, any private party can force you to disclose your Aadhaar number for any reason. It’s being mandated thoughtlessly even when there isn’t any identity fraud problem to be tackled,” he said.
American whistle-blower Edward Snowden weighed in on the Aadhaar debate on Friday, tweeting about governments’ desire for the “records of private lives”.
“History shows that no matter the laws, the result is abuse,” he said.