Identity Project

Under the right to information law, Aadhaar data breaches will remain a state secret

Scroll.in's queries for information were dismissed on grounds of national security and confidentiality.

On February 18, Hindi news daily Dainik Bhaskar reported the arrest of six salespersons of telecommunications service provider Reliance Jio in Madhya Pradesh for selling SIM cards by using the Aadhaar data and fingerprint scans of other customers for between Rs 300 and Rs 1,000.

A day earlier, security researcher Srinivas Kodali brought to the notice of the authorities that a website had leaked the Aadhaar demographic data of over five lakh minors. The website was shut down immediately.

The researcher warned of the existence of several such parallel databases that stored identification data by linking to Aadhaar, and the lack of oversight over this.

The two cases are the latest in a number of incidents in the past month that have raised questions about the security of the Aadhaar database – which contains the biometric data of over a billion Indians.

The first signs of trouble came on February 24 with media reports that the Unique Identity Authority of India – which enrols residents, stores and manages their biometric data, and issues the 12-digit Aadhaar numbers – had, in a first, registered a complaint with the Delhi Police against Axis Bank Limited, Suvidha Infoserve, which is a business correspondent with Axis, and esign provider eMudhra. The three are accused of performing multiple Aadhaar transactions using stored biometrics in violation of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, which prohibits the storage of such data.

In all of the above cases, it is not clear if the individuals whose personal data was compromised were even informed of it. This leads to the question: what right to information does an individual have in the case of such a security breach?

Information blackout

Section 6 of the Aadhaar (Sharing of Information) Regulations says:

The Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency.

However, at the same time, the Aadhaar Act lacks any provision for a mandatory notice to an individual in case of a breach of his or her information – which was a recommendation of the Justice Shah Committee on Privacy in 2012, which was set up to lay the ground for a comprehensive new privacy law.

Thus, under the law, Aadhaar users have no right to be informed when a crime related to their personal data occurs. And they cannot approach a court directly because under Section 47 (1) of the Aadhaar Act, the Unique Identification Authority of India has the exclusive power to make complaints in case of any violation or breach of privacy.

In the case of Axis Bank and the other two firms, the Authority has temporarily stopped them from conducting Aadhaar-based transactions while the investigation is on, but it is not clear if any notice has also been sent to the individuals whose stored biometrics were used illegally by the firms.

Regarding the leak of data of five lakh minors, security researcher Srinivas Kodali said he was not aware if the parents of the children had been informed about the breach after he alerted the authorities. “They should have notified parents of all minors whose data was on the website, issued them new Aadhaar numbers, but this has not happened, as far as I know,” he said. “The authorities have not even formally acknowledged that I notified them that this data was leaking.”

What’s more, information regarding breaches and security-related incidents is not accessible even under the Right to Information Act.

In response to a right to information application filed last year in the course of Scroll.in’s Identity Project series, the Unique Identification Authority of India refused to share data on how many security breaches, intrusion attempts or security incidents it had detected or been notified of. It denied this information for both its Central Identities Data Repository, where it stores all core biometric information, as well as for the other databases it maintains.

The Unique Identification Authority of India denied sharing information on data breaches under an RTI query filed by Scroll.in.
The Unique Identification Authority of India denied sharing information on data breaches under an RTI query filed by Scroll.in.

While denying the information, the Authority cited Section 8 (1) (a) of the Right to Information Act, which mentions national security and states:

8 (1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,

(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence.

It also cited Section 7 of the Aadhaar (Data Security) Regulations that deals with confidentiality of “procedures, orders, processes, standards and protocols” on security.

Similarly, the Authority refused to share information on security practices, citing Section 8 (1) (1) of the Right to Information Act, and Section 7 of the Aadhaar (Data Security) Regulations. “…data being national asset and sharing the systems in place can affect the security interest of the UIDAI and may lead to incitement of an offence,” it noted in its reply to Scroll.in’s right to information application.

The Authority also declined sharing information on practices maintained for data security in reply to Scroll.in's RTI query.
The Authority also declined sharing information on practices maintained for data security in reply to Scroll.in's RTI query.

No disclosure

Legal experts said this absence of proactive disclosure in the Aadhaar system was in contrast with international norms on data protection and transparency towards users.

Chinmayi Arun, executive director of the Centre for Communications Governance at the National Law University, Delhi, said that in the United States, every time a breach takes place, the authorities have to follow proactive disclosure requirements.

“Other countries like the US that are used to sell the idea of government databases to Indian citizens do not run their databases with such wilful carelessness, they are required by law to publish it and inform citizens,” she said. “Here, the government refuses to make the UIDAI tell citizens when a stranger has stolen their personal data. The UIDAI refuses to divulge the most basic security breach statistics when asked under the RTI. The haphazard security of the biggest biometric database on earth should worry everyone.”

According to technology lawyer Apar Gupta, “the UIDAI is a blackbox that cannot be opened even after a system crash”.

He said, “In Aadhaar, there is no proactive duty to publish the data breach as an individual notification to the affected Aadhaar user, no legal obligation to even publish aggregate data at the end when the breach is rectified, no reporting requirement to any other government department.”

Gupta pointed out that Aadhaar lacks an oversight mechanism, and a bounty reporting system that rewards those who find and report security flaws in its system – all measures that would encourage vulnerability testing to prevent hacks and exploitive acts.

On the contrary, reporting security flaws may land one in trouble, as in the case of entrepreneur Sameer Kochhar. Last week, the Authority registered a police complaint against him after he published an article and video on his web magazine on February 11 demonstrating how Aadhaar systems were vulnerable to replay attacks in instances where firms registered with the Authority resorted to illegally storing biometrics locally.

The Delhi Police are investigating the charges made by the Authority against Kochhar under Section 37 of the Aadhaar Act, which deals with the intentional disclosure of “identity information collected in the course of enrolment or authentication”.

Lawyers and technical experts have criticised the Authority’s decision to take action against an individual for reporting a security vulnerability in Aadhaar.

Support our journalism by subscribing to Scroll+ here. We welcome your comments at letters@scroll.in.
Sponsored Content BY 

Swara Bhasker: Sharp objects has to be on the radar of every woman who is tired of being “nice”

The actress weighs in on what she loves about the show.

This article has been written by award-winning actor Swara Bhasker.

All women growing up in India, South Asia, or anywhere in the world frankly; will remember in some form or the other that gentle girlhood admonishing, “Nice girls don’t do that.” I kept recalling that gently reasoned reproach as I watched Sharp Objects (you can catch it on Hotstar Premium). Adapted from the author of Gone Girl, Gillian Flynn’s debut novel Sharp Objects has been directed by Jean-Marc Vallée, who has my heart since he gave us Big Little Lies. It stars the multiple-Oscar nominee Amy Adams, who delivers a searing performance as Camille Preaker; and Patricia Clarkson, who is magnetic as the dominating and dark Adora Crellin. As an actress myself, it felt great to watch a show driven by its female performers.

The series is woven around a troubled, alcohol-dependent, self-harming, female journalist Camille (single and in her thirties incidentally) who returns to the small town of her birth and childhood, Wind Gap, Missouri, to report on two similarly gruesome murders of teenage girls. While the series is a murder mystery, it equally delves into the psychology, not just of the principal characters, but also of the town, and thus a culture as a whole.

There is a lot that impresses in Sharp Objects — the manner in which the storytelling gently unwraps a plot that is dark, disturbing and shocking, the stellar and crafty control that Jean-Marc Vallée exercises on his narrative, the cinematography that is fluid and still manages to suggest that something sinister lurks within Wind Gap, the editing which keeps this narrative languid yet sharp and consistently evokes a haunting sensation.

Sharp Objects is also liberating (apart from its positive performance on Bechdel parameters) as content — for female actors and for audiences in giving us female centric and female driven shows that do not bear the burden of providing either role-models or even uplifting messages. 

Instead, it presents a world where women are dangerous and dysfunctional but very real — a world where women are neither pure victims, nor pure aggressors. A world where they occupy the grey areas, complex and contradictory as agents in a power play, in which they control some reigns too.

But to me personally, and perhaps to many young women viewers across the world, what makes Sharp Objects particularly impactful, perhaps almost poignant, is the manner in which it unravels the whole idea, the culture, the entire psychology of that childhood admonishment “Nice girls don’t do that.” Sharp Objects explores the sinister and dark possibilities of what the corollary of that thinking could be.

“Nice girls don’t do that.”

“Who does?”

“Bad girls.”

“So I’m a bad girl.”

“You shouldn’t be a bad girl.”

“Why not?”

“Bad girls get in trouble.”

“What trouble? What happens to bad girls?”

“Bad things.”

“What bad things?”

“Very bad things.”

“How bad?”

“Terrible!!!”

“Like what?”

“Like….”

A point the show makes early on is that both the victims of the introductory brutal murders were not your typically nice girly-girls. Camille, the traumatised protagonist carrying a burden from her past was herself not a nice girl. Amma, her deceptive half-sister manipulates the nice girl act to defy her controlling mother. But perhaps the most incisive critique on the whole ‘Be a nice girl’ culture, in fact the whole ‘nice’ culture — nice folks, nice manners, nice homes, nice towns — comes in the form of Adora’s character and the manner in which beneath the whole veneer of nice, a whole town is complicit in damning secrets and not-so-nice acts. At one point early on in the show, Adora tells her firstborn Camille, with whom she has a strained relationship (to put it mildly), “I just want things to be nice with us but maybe I don’t know how..” Interestingly it is this very notion of ‘nice’ that becomes the most oppressive and deceptive experience of young Camille, and later Amma’s growing years.

This ‘Culture of Nice’ is in fact the pervasive ‘Culture of Silence’ that women all over the world, particularly in India, are all too familiar with. 

It takes different forms, but always towards the same goal — to silence the not-so-nice details of what the experiences; sometimes intimate experiences of women might be. This Culture of Silence is propagated from the child’s earliest experience of being parented by society in general. Amongst the values that girls receive in our early years — apart from those of being obedient, dutiful, respectful, homely — we also receive the twin headed Chimera in the form of shame and guilt.

“Have some shame!”

“Oh for shame!”

“Shameless!”

“Shameful!”

“Ashamed.”

“Do not bring shame upon…”

Different phrases in different languages, but always with the same implication. Shameful things happen to girls who are not nice and that brings ‘shame’ on the family or everyone associated with the girl. And nice folks do not talk about these things. Nice folks go on as if nothing has happened.

It is this culture of silence that women across the world today, are calling out in many different ways. Whether it is the #MeToo movement or a show like Sharp Objects; or on a lighter and happier note, even a film like Veere Di Wedding punctures this culture of silence, quite simply by refusing to be silenced and saying the not-nice things, or depicting the so called ‘unspeakable’ things that could happen to girls. By talking about the unspeakable, you rob it of the power to shame you; you disallow the ‘Culture of Nice’ to erase your experience. You stand up for yourself and you build your own identity.

And this to me is the most liberating aspect of being an actor, and even just a girl at a time when shows like Sharp Objects and Big Little Lies (another great show on Hotstar Premium), and films like Veere Di Wedding and Anaarkali Of Aarah are being made.

The next time I hear someone say, “Nice girls don’t do that!”, I know what I’m going to say — I don’t give a shit about nice. I’m just a girl! And that’s okay!

Swara is a an award winning actor of the Hindi film industry. Her last few films, including Veere Di Wedding, Anaarkali of Aaraah and Nil Battey Sannata have earned her both critical and commercial success. Swara is an occasional writer of articles and opinion pieces. The occasions are frequent :).

Watch the trailer of Sharp Objects here:

Play

This article was published by the Scroll marketing team with Swara Bhasker on behalf of Hotstar Premium and not by the Scroll editorial team.