On February 18, Hindi news daily Dainik Bhaskar reported the arrest of six salespersons of telecommunications service provider Reliance Jio in Madhya Pradesh for selling SIM cards by using the Aadhaar data and fingerprint scans of other customers for between Rs 300 and Rs 1,000.
A day earlier, security researcher Srinivas Kodali brought to the notice of the authorities that a website had leaked the Aadhaar demographic data of over five lakh minors. The website was shut down immediately.
The researcher warned of the existence of several such parallel databases that stored identification data by linking to Aadhaar, and the lack of oversight over this.
The two cases are the latest in a number of incidents in the past month that have raised questions about the security of the Aadhaar database – which contains the biometric data of over a billion Indians.
The first signs of trouble came on February 24 with media reports that the Unique Identity Authority of India – which enrols residents, stores and manages their biometric data, and issues the 12-digit Aadhaar numbers – had, in a first, registered a complaint with the Delhi Police against Axis Bank Limited, Suvidha Infoserve, which is a business correspondent with Axis, and esign provider eMudhra. The three are accused of performing multiple Aadhaar transactions using stored biometrics in violation of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, which prohibits the storage of such data.
In all of the above cases, it is not clear if the individuals whose personal data was compromised were even informed of it. This leads to the question: what right to information does an individual have in the case of such a security breach?
Information blackout
Section 6 of the Aadhaar (Sharing of Information) Regulations says:
The Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency.
However, at the same time, the Aadhaar Act lacks any provision for a mandatory notice to an individual in case of a breach of his or her information – which was a recommendation of the Justice Shah Committee on Privacy in 2012, which was set up to lay the ground for a comprehensive new privacy law.
Thus, under the law, Aadhaar users have no right to be informed when a crime related to their personal data occurs. And they cannot approach a court directly because under Section 47 (1) of the Aadhaar Act, the Unique Identification Authority of India has the exclusive power to make complaints in case of any violation or breach of privacy.
In the case of Axis Bank and the other two firms, the Authority has temporarily stopped them from conducting Aadhaar-based transactions while the investigation is on, but it is not clear if any notice has also been sent to the individuals whose stored biometrics were used illegally by the firms.
Regarding the leak of data of five lakh minors, security researcher Srinivas Kodali said he was not aware if the parents of the children had been informed about the breach after he alerted the authorities. “They should have notified parents of all minors whose data was on the website, issued them new Aadhaar numbers, but this has not happened, as far as I know,” he said. “The authorities have not even formally acknowledged that I notified them that this data was leaking.”
What’s more, information regarding breaches and security-related incidents is not accessible even under the Right to Information Act.
In response to a right to information application filed last year in the course of Scroll.in’s Identity Project series, the Unique Identification Authority of India refused to share data on how many security breaches, intrusion attempts or security incidents it had detected or been notified of. It denied this information for both its Central Identities Data Repository, where it stores all core biometric information, as well as for the other databases it maintains.
While denying the information, the Authority cited Section 8 (1) (a) of the Right to Information Act, which mentions national security and states:
8 (1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,
(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence.
It also cited Section 7 of the Aadhaar (Data Security) Regulations that deals with confidentiality of “procedures, orders, processes, standards and protocols” on security.
Similarly, the Authority refused to share information on security practices, citing Section 8 (1) (1) of the Right to Information Act, and Section 7 of the Aadhaar (Data Security) Regulations. “…data being national asset and sharing the systems in place can affect the security interest of the UIDAI and may lead to incitement of an offence,” it noted in its reply to Scroll.in’s right to information application.
No disclosure
Legal experts said this absence of proactive disclosure in the Aadhaar system was in contrast with international norms on data protection and transparency towards users.
Chinmayi Arun, executive director of the Centre for Communications Governance at the National Law University, Delhi, said that in the United States, every time a breach takes place, the authorities have to follow proactive disclosure requirements.
“Other countries like the US that are used to sell the idea of government databases to Indian citizens do not run their databases with such wilful carelessness, they are required by law to publish it and inform citizens,” she said. “Here, the government refuses to make the UIDAI tell citizens when a stranger has stolen their personal data. The UIDAI refuses to divulge the most basic security breach statistics when asked under the RTI. The haphazard security of the biggest biometric database on earth should worry everyone.”
According to technology lawyer Apar Gupta, “the UIDAI is a blackbox that cannot be opened even after a system crash”.
He said, “In Aadhaar, there is no proactive duty to publish the data breach as an individual notification to the affected Aadhaar user, no legal obligation to even publish aggregate data at the end when the breach is rectified, no reporting requirement to any other government department.”
Gupta pointed out that Aadhaar lacks an oversight mechanism, and a bounty reporting system that rewards those who find and report security flaws in its system – all measures that would encourage vulnerability testing to prevent hacks and exploitive acts.
On the contrary, reporting security flaws may land one in trouble, as in the case of entrepreneur Sameer Kochhar. Last week, the Authority registered a police complaint against him after he published an article and video on his web magazine on February 11 demonstrating how Aadhaar systems were vulnerable to replay attacks in instances where firms registered with the Authority resorted to illegally storing biometrics locally.
The Delhi Police are investigating the charges made by the Authority against Kochhar under Section 37 of the Aadhaar Act, which deals with the intentional disclosure of “identity information collected in the course of enrolment or authentication”.
Lawyers and technical experts have criticised the Authority’s decision to take action against an individual for reporting a security vulnerability in Aadhaar.