Time and again, whenever a security allegation is made against the Aadhaar ecosystem, the Unique Identification Authority of India (UIDAI) comes out with a standard response, the allegation in question is irrelevant to security, the Aadhaar 'system' (read biometric database) is completely secure, and, in certain cases, an FIR against the reporter. The latest security allegations against Aadhaar are in the form of French researcher Robert Baptiste (going by the alias Elliot Alderson), who claims to have found 20,000 Aadhaar cards publicly online, within a span of 3 hours.
Representational image. Reuters.
The UIDAI's response to this (a statement on Twitter which is being >assumed to be in response to Baptiste's allegations) is extremely worrying, stating that first of all, people should share Aadhaar freely, and second of all, that disclosure of not only Aadhaar numbers, but also PAN numbers, bank account numbers and passport, poses no threat to the security of the systems of which they are a part (See Tweet number 7/n). It appears that as per the UIDAI, the only data worth protecting, is biometric data, and the only thing that constitutes a threat to the 'system', any system, is a large-scale technical breach.
The UIDAI's statement- Aadhaar is not confidential
The >UIDAI's Twitter statement on Aadhaar numbers is that it is 'never to be treated as a confidential document'. It is to be shared openly and freely, as and when 'required and asked for'. Further, Aadhaar numbers, like PAN, passport and other details are 'ordinarily' to be protected to 'ensure privacy'.
UIDAI has dismissed the reports as irresponsible which appeared in a section of social and other media on security of Aadhaar system being questioned on account of a few Aadhaar cards reportedly put on the internet by some unscrupulous elements. 1/n
" Aadhaar (@UIDAI) March 11, 2018
The remedy offered by the UIDAI for this is to sue the publisher of such details for civil damages for the infringement of privacy. Lastly, the statement says that the disclosure of numbers like PAN, Passport, Aadhaar and bank account numbers does not 'impact or threaten the security of the banking, income tax or passport system'.
Disclosure of Aadhaar, PAN, and bank account numbers is extremely harmful
The UIDAI has always taken an extremely narrow stance on privacy, concerning itself only with biometric data. It has also betrayed an absolute lack of understanding of the risk that data disclosures pose to people in today's world of cybercrime. This was seen, for instance, with >The Tribune story, after which the UIDAI made a statement that the demographic data disclosed, like name, date of birth, address, PIN, photo, phone number, and e-mails cannot be misused. The UIDAI's latest statement has now added Aadhaar, PAN, passport, and bank account numbers to this list of data, the disclosure of which is not harmful.
Consider a simple method of cybercrime today- account recovery mechanisms. This may be of the income tax website or a bank's website. Consider the data that is normally needed to recover a password- PAN number, account number, date of birth, e-mail, and so on. A password is needed, sent either to an e-mail or via OTP. To give one example, passwords to an e-mail account can quite easily be found in the dark net (See this >report on how a person's e-mail account was hacked into within 36 hours using just their name).
OTPs have been extracted from people, whether through fraudulent phone calls or through duplicating SIM cards. Consider this report where the victim's bank account was emptied after obtaining a duplicate sim, obtained via a fraudulent phone call made under the pretext of Aadhaar- Sim linking. Reports have similarly arisen on scams which are said to be related to> Aadhaar linked bank accounts, and >Aadhaar based UPI apps.
Aadhaar, PAN, bank account numbers are huge targets for cybercriminals
Each of these examples uses a combination of data to gain access to these systems, data which, as per the UIDAI, cannot impact or harm the system. This data- people's name, address, e-mail, mobile numbers, and their Aadhaar, PAN, bank account and passport numbers form their most crucial data and is the biggest target of cybercriminals. The UIDAI offers biometrics as a solution, but note that firstly, not one of these example uses biometric data, and secondly, biometric authentication has made biometrics the next biggest target of cybercriminals.
Each new piece of data found on the internet adds to the umpteen databases on the darknet, leading to more and more detailed profiles of individuals. It is only a matter of time before biometrics are added to this, if they haven't already been added. Moreover, cybercriminals and their techniques are becoming increasingly sophisticated. The rate at which new means of scamming people arise far exceeds the rate at which the crimes are discovered and stopped.
In such a situation, instead of treating this data with utmost confidentiality, the UIDAI has instead dismissed their value towards the security of various systems.
UIDAI contradicts its own statement on Aadhaar number confidentiality
The most surprising part of this statement is that the UIDAI has, in fact, contradicted its own statements and actions in the past with respect to protecting the Aadhaar number. Consider the Virtual ID system. Without going into the problems that the Virtual ID system in itself has, the whole purpose of Virtual ID is to protect the Aadhaar number; to prevent its disclosure.
The UIDAI, has also, in the past, advised people to be 'very discreet' with sharing their Aadhaar number. The same thing can also be seen looking at the Aadhaar Act and regulations themselves, where the publication of Aadhaar numbers is a punishable offence ( See Section 29 of the Aadhaar Act and Regulation 6 of the Aadhaar (Sharing of Information) Regulations).
In the past, the UIDAI has advised people to be very discreet about sharing their Aadhaar number. Getty.
A threat to the 'system'
Further, a threat to the 'system', be it the Aadhaar system (not just the Aadhaar biometric database, but the Aadhaar ecosystem), the banking system or the income tax system, does not involve large-scale hacks only. Hacking even a single person's account is a huge vulnerability and a threat to the system. One simple reason is that a cybercriminal who succeeds in gaining access to one person's account through one method will definitely try the same method with other people's accounts.
As >The Tribune story revealed, an Aadhaar number also can also cause harm to the Aadhaar system, since that was all that was needed to extract a person's personal information. Even if the UIDAI has fixed this particular issue, more such vulnerabilities and loopholes will be found, again.
UIDAI says sue for civil damages
In the last part of its statement, the UIDAI suggests that people's remedy for any data disclosed is to sue the publisher for civil damages for violation of privacy. The UIDAI's statement, however, does not mention if any effort was made on the UIDAI's part to investigate the reports (Baptiste's or otherwise) before dismissing them as irresponsible. In the past, the UIDAI had similarly dismissed The Tribune story as >misreporting, and then later went on to file the FIR.
People's remedies under the law
The Aadhaar Act, it must be remembered, authorizes only the UIDAI to act against violations of the Aadhaar Act, including such publications of Aadhaar numbers (See Section 47 of the Aadhaar Act). The people have been given no power to act against it, beyond filing a grievance. Thus, people have no remedy under the Aadhaar Act.
People's remedies are those provided under the Information Technology Act. Section 43A of this Act grants damages by way of compensation. However, for this, a wrongful loss has to be proved. This can be difficult, particularly when the effects of a loss of data are often felt much later, by way of a cybercrime. In fact, when a cybercrime occurs, it is often difficult to find out where the data used for the crime was sourced from. Another option is Section 72A, but this only penalizes a deliberate disclosure of data, made with the intent to harm a person, and in breach of contract.
The main issue with these remedies are, first of all, most people will not even know if their data was disclosed via such a publication. Secondly, even if they do know, most people will not be in a position to pursue a case in a court of law, unless the damage is significant. Add to this the UIDAI's statements that the disclosure of this data will not harm the system, and people's incentive to act against such disclosures reduces further.
UIDAI's responsibility to act against violations
This is one of the reasons why the proposal of class action lawsuits under the Data Protection Framework is so welcome. With the inadequacy of current regulations, the solution, therefore, lies with penalizing the publisher and having the data removed. This power, however, lies only with the UIDAI, making its responsibility to act against such violations that much greater. Its reactions to reports, however, whether to the current allegations, The Tribune report, or the mAadhaar app flaw, however, in no way encourages such researchers to approach the UIDAI.
Such statements can send a wrong signal
The UIDAI has long since needed to take a much more responsible approach to privacy. Where the UIDAI should be advising people to treat such data with extreme caution, a statement like the current one can send a very wrong signal to the people. It needs to realize the cruciality of the data in its possession and work with the people to protect this data. Hopefully, the ongoing hearings in the Supreme Court will result in the required privacy obligations on the UIDAI, as well as greater rights to the people.