Identity Project

Under the right to information law, Aadhaar data breaches will remain a state secret

Scroll.in's queries for information were dismissed on grounds of national security and confidentiality.

On February 18, Hindi news daily Dainik Bhaskar reported the arrest of six salespersons of telecommunications service provider Reliance Jio in Madhya Pradesh for selling SIM cards by using the Aadhaar data and fingerprint scans of other customers for between Rs 300 and Rs 1,000.

A day earlier, security researcher Srinivas Kodali brought to the notice of the authorities that a website had leaked the Aadhaar demographic data of over five lakh minors. The website was shut down immediately.

The researcher warned of the existence of several such parallel databases that stored identification data by linking to Aadhaar, and the lack of oversight over this.

The two cases are the latest in a number of incidents in the past month that have raised questions about the security of the Aadhaar database – which contains the biometric data of over a billion Indians.

The first signs of trouble came on February 24 with media reports that the Unique Identity Authority of India – which enrols residents, stores and manages their biometric data, and issues the 12-digit Aadhaar numbers – had, in a first, registered a complaint with the Delhi Police against Axis Bank Limited, Suvidha Infoserve, which is a business correspondent with Axis, and esign provider eMudhra. The three are accused of performing multiple Aadhaar transactions using stored biometrics in violation of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, which prohibits the storage of such data.

In all of the above cases, it is not clear if the individuals whose personal data was compromised were even informed of it. This leads to the question: what right to information does an individual have in the case of such a security breach?

Information blackout

Section 6 of the Aadhaar (Sharing of Information) Regulations says:

The Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency.

However, at the same time, the Aadhaar Act lacks any provision for a mandatory notice to an individual in case of a breach of his or her information – which was a recommendation of the Justice Shah Committee on Privacy in 2012, which was set up to lay the ground for a comprehensive new privacy law.

Thus, under the law, Aadhaar users have no right to be informed when a crime related to their personal data occurs. And they cannot approach a court directly because under Section 47 (1) of the Aadhaar Act, the Unique Identification Authority of India has the exclusive power to make complaints in case of any violation or breach of privacy.

In the case of Axis Bank and the other two firms, the Authority has temporarily stopped them from conducting Aadhaar-based transactions while the investigation is on, but it is not clear if any notice has also been sent to the individuals whose stored biometrics were used illegally by the firms.

Regarding the leak of data of five lakh minors, security researcher Srinivas Kodali said he was not aware if the parents of the children had been informed about the breach after he alerted the authorities. “They should have notified parents of all minors whose data was on the website, issued them new Aadhaar numbers, but this has not happened, as far as I know,” he said. “The authorities have not even formally acknowledged that I notified them that this data was leaking.”

What’s more, information regarding breaches and security-related incidents is not accessible even under the Right to Information Act.

In response to a right to information application filed last year in the course of Scroll.in’s Identity Project series, the Unique Identification Authority of India refused to share data on how many security breaches, intrusion attempts or security incidents it had detected or been notified of. It denied this information for both its Central Identities Data Repository, where it stores all core biometric information, as well as for the other databases it maintains.

The Unique Identification Authority of India denied sharing information on data breaches under an RTI query filed by Scroll.in.
The Unique Identification Authority of India denied sharing information on data breaches under an RTI query filed by Scroll.in.

While denying the information, the Authority cited Section 8 (1) (a) of the Right to Information Act, which mentions national security and states:

8 (1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,

(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence.

It also cited Section 7 of the Aadhaar (Data Security) Regulations that deals with confidentiality of “procedures, orders, processes, standards and protocols” on security.

Similarly, the Authority refused to share information on security practices, citing Section 8 (1) (1) of the Right to Information Act, and Section 7 of the Aadhaar (Data Security) Regulations. “…data being national asset and sharing the systems in place can affect the security interest of the UIDAI and may lead to incitement of an offence,” it noted in its reply to Scroll.in’s right to information application.

The Authority also declined sharing information on practices maintained for data security in reply to Scroll.in's RTI query.
The Authority also declined sharing information on practices maintained for data security in reply to Scroll.in's RTI query.

No disclosure

Legal experts said this absence of proactive disclosure in the Aadhaar system was in contrast with international norms on data protection and transparency towards users.

Chinmayi Arun, executive director of the Centre for Communications Governance at the National Law University, Delhi, said that in the United States, every time a breach takes place, the authorities have to follow proactive disclosure requirements.

“Other countries like the US that are used to sell the idea of government databases to Indian citizens do not run their databases with such wilful carelessness, they are required by law to publish it and inform citizens,” she said. “Here, the government refuses to make the UIDAI tell citizens when a stranger has stolen their personal data. The UIDAI refuses to divulge the most basic security breach statistics when asked under the RTI. The haphazard security of the biggest biometric database on earth should worry everyone.”

According to technology lawyer Apar Gupta, “the UIDAI is a blackbox that cannot be opened even after a system crash”.

He said, “In Aadhaar, there is no proactive duty to publish the data breach as an individual notification to the affected Aadhaar user, no legal obligation to even publish aggregate data at the end when the breach is rectified, no reporting requirement to any other government department.”

Gupta pointed out that Aadhaar lacks an oversight mechanism, and a bounty reporting system that rewards those who find and report security flaws in its system – all measures that would encourage vulnerability testing to prevent hacks and exploitive acts.

On the contrary, reporting security flaws may land one in trouble, as in the case of entrepreneur Sameer Kochhar. Last week, the Authority registered a police complaint against him after he published an article and video on his web magazine on February 11 demonstrating how Aadhaar systems were vulnerable to replay attacks in instances where firms registered with the Authority resorted to illegally storing biometrics locally.

The Delhi Police are investigating the charges made by the Authority against Kochhar under Section 37 of the Aadhaar Act, which deals with the intentional disclosure of “identity information collected in the course of enrolment or authentication”.

Lawyers and technical experts have criticised the Authority’s decision to take action against an individual for reporting a security vulnerability in Aadhaar.

Support our journalism by subscribing to Scroll+ here. We welcome your comments at letters@scroll.in.
Sponsored Content BY 

Movies can make you leap beyond what is possible

Movies have the power to inspire us like nothing else.

Why do we love watching movies? The question might be elementary, but one that generates a range of responses. If you had to visualise the world of movies on a spectrum, it would reflect vivid shades of human emotions like inspiration, thrill, fantasy, adventure, love, motivation and empathy - generating a universal appeal bigger than of any other art form.

“I distinctly remember when I first watched Mission Impossible I. The scene where Tom Cruise suspends himself from a ventilator to steal a hard drive is probably the first time I saw special effects, stunts and suspense combined so brilliantly.”  

— Shristi, 30

Beyond the vibe of a movie theatre and the smell of fresh popcorn, there is a deeply personal relationship one creates with films. And with increased access to movies on television channels like &flix, Zee Entertainment’s brand-new English movie channel, we can experience the magic of movies easily, in the comforts of our home.

The channel’s tagline ‘Leap Forth’ is a nod to the exciting and inspiring role that English cinema plays in our lives. Comparable to the pizazz of the movie premieres, the channel launched its logo and tagline through a big reveal on a billboard with Spider-Man in Mumbai, activated by 10,000 tweets from English movies buffs. Their impressive line-up of movies was also shown as part of the launch, enticing fans with new releases such as Spider-Man: Homecoming, Baby Driver, Blade Runner 2049, The Dark Tower, Jumanji: Welcome to the Jungle and Life.

“Edgar Wright is my favourite writer and director. I got interested in film-making because of Hot Fuzz and Shaun of the dead. I love his unique style of storytelling, especially in his latest movie Baby Driver.”

— Siddhant, 26

Indeed, movies can inspire us to ‘leap forth’ in our lives. They give us an out-of-this-world experience by showing us fantasy worlds full of magic and wonder, while being relatable through stories of love, kindness and courage. These movies help us escape the sameness of our everyday lives; expanding our imagination and inspiring us in different ways. The movie world is a window to a universe that is full of people’s imaginations and dreams. It’s vast, vivid and populated with space creatures, superheroes, dragons, mutants and artificial intelligence – making us root for the impossible. Speaking of which, the American science fiction blockbuster, Ghost in the Shell will be premiering on the 24th of June at 1:00 P.M. and 9:00 P.M, only on &flix.

“I relate a lot to Peter Parker. I identified with his shy, dorky nature as well as his loyalty towards his friends. With great power, comes great responsibility is a killer line, one that I would remember for life. Of all the superheroes, I will always root for Spiderman”

— Apoorv, 21

There are a whole lot of movies between the ones that leave a lasting impression and ones that take us through an exhilarating two-hour-long ride. This wide range of movies is available on &flix. The channel’s extensive movie library includes over 450 great titles bringing one hit movie premiere every week. To get a taste of the exciting movies available on &flix, watch the video below:

Play

This article was produced by the Scroll marketing team on behalf of &flix and not by the Scroll editorial team.